Skip to content

Commit 9fdfb4f

Browse files
DeepDiver1975claude
DeepDiver1975
and
claude
committed
changelog: add entry for OC10-53 IDOR fix in WebDAV comments API
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
1 parent 3249e61 commit 9fdfb4f

1 file changed

Lines changed: 5 additions & 0 deletions

File tree

  • changelog/unreleased

changelog/unreleased/41558

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
Fix: Prevent IDOR in WebDAV comments API
2+
3+
Authenticated users could read, edit, or delete comments on files they have no access to by supplying an arbitrary comment ID in the WebDAV comments endpoint. The fix verifies that a requested comment belongs to the file in the URL before returning it.
4+
5+
https://github.com/owncloud/core/pull/41558

0 commit comments

Comments
 (0)