-
epriestley authoredSummary: Via HackerOne. The use of `$key` here should be `$extended_key`. Exploiting this requires a very unusual group of objects to be subjected to extended policy checks. I believe there is no way to actually get anything bad through the policy filter today, but this could have been an issue in the future. Test Plan: - Added a unit test which snuck something through the policy filter. - Fixed use of `$extended_key`. - Test now passes. Reviewers: chad Reviewed By: chad Differential Revision: https://secure.phabricator.com/D14993
f59ebf4c