From f4c3fd5a73481f5f219ed61a8757c6b6db48352f Mon Sep 17 00:00:00 2001
From: webzwo0i <webzwo0i@c3d2.de>
Date: Sun, 25 Jun 2023 20:56:28 +0200
Subject: [PATCH] ensure targetRev is limited to headRev in
 getInternalRevisionAText

---
 CHANGELOG.md       | 3 +++
 src/node/db/Pad.js | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b79217324..e82d99ed8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ### Notable enhancements and fixes
 
+* Security
+  * Limit requested revisions in timeslider and export to head revision. (affects v1.9.0)
+
 * Bugfixes
   * revisions in `CHANGESET_REQ` (timeslider) and export (txt, html, custom)
     are now checked to be numbers.
diff --git a/src/node/db/Pad.js b/src/node/db/Pad.js
index b692962f1..a9c87541f 100644
--- a/src/node/db/Pad.js
+++ b/src/node/db/Pad.js
@@ -172,6 +172,9 @@ class Pad {
 
   async getInternalRevisionAText(targetRev) {
     const keyRev = this.getKeyRevisionNumber(targetRev);
+    const headRev = this.getHeadRevisionNumber();
+    if (targetRev > headRev)
+      targetRev = headRev;
     const [keyAText, changesets] = await Promise.all([
       this._getKeyRevisionAText(keyRev),
       Promise.all(