June 5th, 2006

Broken X-FB-Auth support in Apache/FotoBilder/Pic.pm

I noted a broken X-FB-Auth support in the Pic.pm module. Here is a fix:
--- cvs/fb/lib/Apache/FotoBilder/Pic.pm Mon Jan  2 11:19:23 2006
+++ lib/Apache/FotoBilder/Pic.pm        Mon Jun  5 23:52:15 2006
@@ -79,7 +79,7 @@

     # need to see if there's a reference to this picture in some gallery
     # that the remote user has access to view
-    return 403 unless $up->visible;
+    return 403 unless $up->visible_to($remote);

     my $palspec; # palette colors, set if $extra begins with '/p'
     my $g;       # pic to serve  (FB::Gpic object)
(Error existed because Upic::visible just calls FB::get_remote() to get $remote, without checking X-FB-Auth.)

But I'm not sure, can such fix cause some security problems?