Merge pull request #248 from dodok8/dodok8-fix-issu-246

dahlia · dahlia · commit 3848a0bb8927 · 2025-10-04T00:19:43.000+09:00
fix: Direct messages are leaked on public post pages
diff --git a/CHANGES.md b/CHANGES.md
@@ -6,6 +6,14 @@ Version 0.6.12
 
 To be released.
 
+ -  Fixed a critical security vulnerability where direct messages were leaked
+    on public post pages. The replies list below posts now correctly filters
+    to show only public or unlisted replies, preventing private conversations
+    from being exposed.  [[#246], [#248] by Hyeonseo Kim]
+
+[#246]: https://github.com/fedify-dev/hollo/issues/246
+[#248]: https://github.com/fedify-dev/hollo/pull/248
+
 
 Version 0.6.11
 --------------
diff --git a/src/pages/profile/profilePost.tsx b/src/pages/profile/profilePost.tsx
@@ -1,4 +1,4 @@
-import { and, eq, or } from "drizzle-orm";
+import { and, eq, inArray, or } from "drizzle-orm";
 import { Hono } from "hono";
 import { Layout } from "../../components/Layout.tsx";
 import { Post as PostView } from "../../components/Post.tsx";
@@ -66,6 +66,7 @@ profilePost.get<"/:handle{@[^/]+}/:id{[-a-f0-9]+}">(async (c) => {
         },
       },
       replies: {
+        where: inArray(posts.visibility, ["public", "unlisted"]),
         with: {
           account: true,
           media: true,
