MM-36893 : Specially crafted message request crashes the webapp for users who view the message (#18835)

* strip away delete * added tests
2026-02-18 18:18:23 -05:00 · 2021-10-29 20:16:00 +05:30 · 2021-10-29 20:16:00 +05:30 · bf589c2995
commit bf589c2995
parent 8c4e6a85b3
2 changed files with 5 additions and 1 deletions
--- a/api4/post.go
+++ b/api4/post.go
@ -43,6 +43,9 @@ func createPost(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// Strip away delete_at if passed
+	post.DeleteAt = 0
+
 	post.UserId = c.AppContext.Session().UserId

 	auditRec := c.MakeAuditRecord("createPost", audit.Fail)
--- a/api4/post_test.go
+++ b/api4/post_test.go
@ -35,7 +35,7 @@ func TestCreatePost(t *testing.T) {
 	defer th.TearDown()
 	client := th.Client

-	post := &model.Post{ChannelId: th.BasicChannel.Id, Message: "#hashtag a" + model.NewId() + "a", Props: model.StringInterface{model.PropsAddChannelMember: "no good"}}
+	post := &model.Post{ChannelId: th.BasicChannel.Id, Message: "#hashtag a" + model.NewId() + "a", Props: model.StringInterface{model.PropsAddChannelMember: "no good"}, DeleteAt: 101}

 	rpost, resp, err2 := client.CreatePost(post)
 	require.NoError(t, err2)
@ -46,6 +46,7 @@ func TestCreatePost(t *testing.T) {
 	require.Empty(t, rpost.FileIds)
 	require.Equal(t, 0, int(rpost.EditAt), "newly created post shouldn't have EditAt set")
 	require.Nil(t, rpost.GetProp(model.PropsAddChannelMember), "newly created post shouldn't have Props['add_channel_member'] set")
+	require.Equal(t, 0, int(rpost.DeleteAt), "newly created post shouldn't have DeleteAt set")

 	post.RootId = rpost.Id
 	_, _, err2 = client.CreatePost(post)