Headline
CVE-2022-21678: FIX: Hide user's bio if profile is restricted · discourse/discourse@5e2e178
Discourse is an open source discussion platform. Prior to version 2.8.0.beta11 in the tests-passed branch, version 2.8.0.beta11 in the beta branch, and version 2.7.13 in the stable branch, the bios of users who made their profiles private were still visible in the <meta> tags on their users’ pages. The problem is patched in tests-passed version 2.8.0.beta11, beta version 2.8.0.beta11, and stable version 2.7.13 of Discourse.
Expand Up
@@ -3674,6 +3674,16 @@ def create_and_like_post(likee, liker)
expect(response.body).to include(user1.username)
end
it “should not be able to view a private user profile” do
user1.user_profile.update!(bio_raw: “Hello world!”)
user1.user_option.update!(hide_profile_and_presence: true)
get “/u/#{user1.username}”
expect(response.status).to eq(200)
expect(response.body).not_to include(“Hello world!”)
end
describe ‘when username contains a period’ do
before_all do
user1.update!(username: ‘test.test’)
Expand Down