fix: Don't resend webxdc status updates in OutBroadcast-s (#7679)

iequidoo · iequidoo · commit d250e7074433 · 2026-02-08T09:02:10.000-03:00
We don't remember which status updates are "initial" (sent initially by the broadcast owner) and
which were sent by subscribers, so don't resend any of them to avoid accidental sharing of
confidential data.
diff --git a/src/chat.rs b/src/chat.rs
@@ -4560,7 +4560,7 @@ pub async fn resend_msgs(context: &Context, msg_ids: &[MsgId]) -> Result<()> {
         // note(treefit): only matters if it is the last message in chat (but probably to expensive to check, debounce also solves it)
         chatlist_events::emit_chatlist_item_changed(context, msg.chat_id);
 
-        if msg.viewtype == Viewtype::Webxdc {
+        if msg.viewtype == Viewtype::Webxdc && msg.chat_typ != Chattype::OutBroadcast {
             let conn_fn = |conn: &mut rusqlite::Connection| {
                 let range = conn.query_row(
                     "SELECT IFNULL(min(id), 1), IFNULL(max(id), 0) \
diff --git a/src/constants.rs b/src/constants.rs
@@ -107,12 +107,14 @@ pub const DC_CHAT_ID_LAST_SPECIAL: ChatId = ChatId::new(9);
     IntoStaticStr,
     Serialize,
     Deserialize,
+    Default,
 )]
 #[repr(u32)]
 pub enum Chattype {
     /// A 1:1 chat, i.e. a normal chat with a single contact.
     ///
     /// Created by [`ChatId::create_for_contact`].
+    #[default]
     Single = 100,
 
     /// Group chat.
diff --git a/src/message.rs b/src/message.rs
@@ -452,6 +452,7 @@ pub struct Message {
     pub(crate) is_dc_message: MessengerMessage,
     pub(crate) original_msg_id: MsgId,
     pub(crate) mime_modified: bool,
+    pub(crate) chat_typ: Chattype,
     pub(crate) chat_visibility: ChatVisibility,
     pub(crate) chat_blocked: Blocked,
     pub(crate) location_id: u32,
@@ -526,6 +527,7 @@ impl Message {
                     m.param AS param,
                     m.hidden AS hidden,
                     m.location_id AS location,
+                    c.type AS chat_typ,
                     c.archived AS visibility,
                     c.blocked AS blocked
                  FROM msgs m
@@ -585,6 +587,10 @@ impl Message {
                         param: row.get::<_, String>("param")?.parse().unwrap_or_default(),
                         hidden: row.get("hidden")?,
                         location_id: row.get("location")?,
+                        // This is safe: see `ChatId::delete_ex()`, `None` chat type can't happen.
+                        chat_typ: row
+                            .get::<_, Option<_>>("chat_typ")?
+                            .unwrap_or(Chattype::Single),
                         chat_visibility: row.get::<_, Option<_>>("visibility")?.unwrap_or_default(),
                         chat_blocked: row
                             .get::<_, Option<Blocked>>("blocked")?
diff --git a/src/mimefactory.rs b/src/mimefactory.rs
@@ -2009,14 +2009,15 @@ impl MimeFactory {
                 HeaderDef::IrohGossipTopic.get_headername(),
                 mail_builder::headers::raw::Raw::new(topic).into(),
             ));
-            if let (Some(json), _) = context
-                .render_webxdc_status_update_object(
-                    msg.id,
-                    StatusUpdateSerial::MIN,
-                    StatusUpdateSerial::MAX,
-                    None,
-                )
-                .await?
+            if msg.chat_typ != Chattype::OutBroadcast
+                && let (Some(json), _) = context
+                    .render_webxdc_status_update_object(
+                        msg.id,
+                        StatusUpdateSerial::MIN,
+                        StatusUpdateSerial::MAX,
+                        None,
+                    )
+                    .await?
             {
                 parts.push(context.build_status_update_part(&json));
             }
diff --git a/src/webxdc/webxdc_tests.rs b/src/webxdc/webxdc_tests.rs
@@ -1612,7 +1612,7 @@ async fn test_in_broadcast_send_status_update() -> Result<()> {
     bob.send_webxdc_status_update(bob_instance.id, r#"{"payload":42}"#)
         .await?;
     bob.flush_status_updates().await?;
-    let sent_msg = bob.pop_sent_msg().await;
+    let sent_msg = bob.pop_sent_msg_opt(Duration::ZERO).await.unwrap();
 
     alice.recv_msg_trash(&sent_msg).await;
     assert_eq!(
@@ -1636,6 +1636,24 @@ async fn test_in_broadcast_send_status_update() -> Result<()> {
     let status =
         helper_send_receive_status_update(bob, alice, &bob_instance, &alice_instance).await?;
     assert_eq!(status, r#"[{"payload":42,"serial":1,"max_serial":1}]"#);
+
+    // Subscribers' status updates are confidential.
+    let fiona = &tcm.fiona().await;
+    let fiona_chat_id = tcm.exec_securejoin_qr(fiona, alice, &qr).await;
+    resend_msgs(alice, &[alice_instance.id]).await?;
+    let sent1 = alice.pop_sent_msg().await;
+    alice.flush_status_updates().await?;
+    // See above for bob -- status updates are flushed immediately, no need to wait.
+    assert!(alice.pop_sent_msg_opt(Duration::ZERO).await.is_none());
+    let fiona_instance = fiona.recv_msg(&sent1).await;
+    assert_eq!(fiona_instance.chat_id, fiona_chat_id);
+    assert_eq!(fiona_instance.chat_typ, Chattype::InBroadcast);
+    assert_eq!(
+        fiona
+            .get_webxdc_status_updates(fiona_instance.id, StatusUpdateSerial(0))
+            .await?,
+        r#"[]"#
+    );
     Ok(())
 }
 
