Issue status update for http://drupal.org/node/27864 Post a follow up: http://drupal.org/project/comments/add/27864 Project: Drupal Version: 4.6.2 Component: node.module Category: bug reports Priority: normal Assigned to: willmoy Reported by: willmoy Updated by: Dries -Status: patch (code needs review) +Status: patch (code needs work) That code is insecure and may lead to SQL injection attacks. Dries Previous comments: ------------------------------------------------------------------------ Sat, 30 Jul 2005 19:58:15 +0000 : willmoy To reproduce: - Take a page which is denied to anonymous users by node_privacy_byrole - Go to it as an anonymous user - Receive 404 error Note: this bug did not exist in 4.5.x ------------------------------------------------------------------------ Sat, 30 Jul 2005 20:23:02 +0000 : willmoy Attachment: http://drupal.org/files/issues/27864-user.module-4.6.2.patch (686 bytes) Tested patch against 4.6.2 branch attached. ------------------------------------------------------------------------ Sun, 31 Jul 2005 01:01:08 +0000 : willmoy Attachment: http://drupal.org/files/issues/27864-node.module-4.6.2.patch (682 bytes) New patch. Correctly handles both 403s and 404s. Adds an extra query to verify which is happening.