From 6353a7c2decd62098ebc96951c38c9aade44fc4c Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Thu, 11 Feb 2010 14:28:32 -0800
Subject: Security: Fix leaking of album / photo names. Reject previous fix for
 ticket 1009. Side effect: Renaming auth::required_login() to login_page().

---
 modules/gallery/helpers/access.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'modules/gallery/helpers/access.php')

diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php
index 29b981e8..7e8b079a 100644
--- a/modules/gallery/helpers/access.php
+++ b/modules/gallery/helpers/access.php
@@ -118,7 +118,12 @@ class access_Core {
    */
   static function required($perm_name, $item) {
     if (!self::can($perm_name, $item)) {
-      self::forbidden();
+      if ($perm_name == "view") {
+        // Treat as if the item didn't exist, don't leak any information.
+        throw new Kohana_404_Exception();
+      } else {
+        self::forbidden();
+      }
     }
   }
 
-- 
cgit v1.2.3