Fixed GHSA-5pgf-h923-m958

brandonkelly · brandonkelly · commit d30df3112220 · 2026-02-25T10:08:44.000-08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## Unreleased
 
 - The `PDO::MYSQL_ATTR_MULTI_STATEMENTS` attribute is no longer set by default for database connections. ([#18474](https://github.com/craftcms/cms/issues/18474))
+- Fixed a [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) information disclosure vulnerability. (GHSA-5pgf-h923-m958)
 
 ## 4.17.7 - 2026-02-24
 
diff --git a/src/controllers/AssetsController.php b/src/controllers/AssetsController.php
@@ -1194,6 +1194,9 @@ public function actionPreviewFile(): Response
             return $this->asFailure(Craft::t('app', 'Asset not found with that id'));
         }
 
+        $this->requireVolumePermissionByAsset('viewAssets', $asset);
+        $this->requirePeerVolumePermissionByAsset('viewPeerAssets', $asset);
+
         $previewHtml = null;
 
         $previewHandler = Craft::$app->getAssets()->getAssetPreviewHandler($asset);

Original file line number	Diff line number	Diff line change
`@@ -1194,6 +1194,9 @@ public function actionPreviewFile(): Response`
`1194`	`1194`	`return $this->asFailure(Craft::t('app', 'Asset not found with that id'));`
`1195`	`1195`	`}`
`1196`	`1196`
	`1197`	`+ $this->requireVolumePermissionByAsset('viewAssets', $asset);`
	`1198`	`+ $this->requirePeerVolumePermissionByAsset('viewPeerAssets', $asset);`
	`1199`	`+`
`1197`	`1200`	`$previewHtml = null;`
`1198`	`1201`
`1199`	`1202`	`$previewHandler = Craft::$app->getAssets()->getAssetPreviewHandler($asset);`