From: Chocobozzz Date: Wed, 31 Jan 2018 13:40:42 +0000 (+0100) Subject: Don't leak unlisted videos X-Git-Tag: v0.0.20-alpha~5 X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=81ebea48bfba2d81e62dd7a0f01a0cadf41d2607;p=github%2FChocobozzz%2FPeerTube.git Don't leak unlisted videos --- diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index 1acb306c0..a365ed217 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts @@ -2,7 +2,7 @@ import * as express from 'express' import 'express-validator' import { body, param, query } from 'express-validator/check' import { UserRight, VideoPrivacy } from '../../../shared' -import { isBooleanValid, isIdOrUUIDValid, isIdValid } from '../../helpers/custom-validators/misc' +import { isBooleanValid, isIdOrUUIDValid, isIdValid, isUUIDValid } from '../../helpers/custom-validators/misc' import { isVideoAbuseReasonValid, isVideoCategoryValid, isVideoDescriptionValid, isVideoExist, isVideoFile, isVideoLanguageValid, isVideoLicenceValid, isVideoNameValid, isVideoPrivacyValid, isVideoRatingTypeValid, isVideoTagsValid @@ -134,9 +134,18 @@ const videosGetValidator = [ const video = res.locals.video - // Video is not private, anyone can access it - if (video.privacy !== VideoPrivacy.PRIVATE) return next() + // Video is public, anyone can access it + if (video.privacy === VideoPrivacy.PUBLIC) return next() + // Video is unlisted, check we used the uuid to fetch it + if (video.privacy === VideoPrivacy.UNLISTED) { + if (isUUIDValid(req.params.id)) return next() + + // Don't leak this unlisted video + return res.status(404).end() + } + + // Video is private, check the user authenticate(req, res, () => { if (video.VideoChannel.Account.userId !== res.locals.oauth.token.User.id) { return res.status(403)