Private messages are included on local timeline

Question

Private messages are included on local timeline

koehn opened this issue 2 years ago · 15 comments

koehn commented 2 years ago

From the Mastodon client, create a Toot.
Set the audience to “only people I mention” and mention someone, and send the message
Go to the main https page for your site (e.g., https://example.com/explore) and select “Local” from the list on the right
Your private messages are displayed there

Answer 1 · 2023-02-22T19:44:46.000Z

Lol. Lmao.

Answer 2 · 2023-02-22T20:01:32.000Z

When will the feature be renamed to Public Messages?

Answer 3 · 2023-02-22T21:22:11.000Z

you've got nothing to hide

Answer 4 · 2023-02-22T21:27:56.000Z

ThatOneCalculator commented 2 years ago

Answer 5 · 2023-02-22T22:14:51.000Z

Has anyone clarified whether this is only visible logged in as yourself (laughably bad ux that could be panic inducing for users, but not actually a privacy leak) or publicly?

Answer 6 · 2023-02-22T22:24:02.000Z

took a peek at the code and it looks like there is no attempt at authentication or filtering, lol

Answer 7 · 2023-02-22T22:44:30.000Z

ThatOneCalculator commented 2 years ago

😄1

Answer 8 · 2023-02-22T22:45:58.000Z

it's also real cool and good to assemble the sql statements with string interpolation. afaict that doesn't cause any sql injection problems in the current code, but as soon as there's a path that calls getObjectBy with a attacker-controlled key or something like that there's gonna be problems.

definitely not a sign of half baked software rushed to ship or anything like that!

Answer 9 · 2023-02-22T22:49:08.000Z

I suppose this is an innovative solution to the "Mastodon admins can read your DMs" controversy, but possibly not the one I'd have picked

Answer 10 · 2023-02-22T22:51:39.000Z

Is this the part where I start to shill other Fedi software?

Answer 11 · 2023-02-22T22:57:43.000Z

Currently private messages are not supported, they might be displayed on public timelines. I temporarly locked this issue to avoid spam.

Answer 12 · 2023-02-23T10:44:24.000Z

Would I be correct in thinking that incoming private messages (and not just outgoing private messages) would be publicly available?

Answer 13 · 2023-02-23T11:31:08.000Z

The whole fediverse to CF rn:

videoplayback.mp4

Answer 14 · 2023-02-23T11:37:36.000Z

Locking the issue permanently.

As I said in #303 (comment). At the moment, private messages are not supported and we are well aware. Our team is looking into it.

Thanks for the issue @koehn. Feel free to reach out to me directly on Discord for concerns / questions.

Answer 15 · 2023-02-23T16:18:25.000Z

A fix has been merged. Private messages sent from Wildeebest are not showing in public timelines anymore. Please sync your forks to patch your instance.

Also note that, for safety, toots with private or unlisted visbility are now rejected until we implement them properly.

In the future, issues that could be security related can be reported via https://github.com/cloudflare/wildebeest/blob/main/SECURITY.md.

Closing this since the original issue has been addressed.