April 6th, 2009

cs is gf

Bug in /customize/advanced/styles.bml when using canview.

This will likely affect everyone with a small number of webslaves.

If you happen to get assigned to the same webslave and process of somebody that
recently used canview on /customize/advanced/styles.bml and attempt to save your
style, you will get redirected to a url with ?user=canview_victim

This does not allow the user without canview to actually view canview_victim's
styles, but still leaks information that canview was used, and whom it was used
on.

Patch can be found here:
http://code.livejournal.org/trac/livejournal/changeset/15078/trunk/htdocs/customize/advanced/styles.bml