[drupal-devel] [bug] cvs node.module incorrectly assumes 404 when access denied

willmoy drupal-devel at drupal.org
Mon Aug 1 14:27:15 UTC 2005


Issue status update for 
http://drupal.org/node/27873
Post a follow up: 
http://drupal.org/project/comments/add/27873

 Project:      Drupal
 Version:      cvs
 Component:    node.module
 Category:     bug reports
 Priority:     normal
 Assigned to:  willmoy
 Reported by:  willmoy
 Updated by:   willmoy
-Status:       patch (code needs work)
+Status:       patch (code needs review)
 Attachment:   http://drupal.org/files/issues/27873-node.module-cvs_0.patch (977 bytes)

This patch updated as the 4.6.2 one was.




willmoy



Previous comments:
------------------------------------------------------------------------

Sun, 31 Jul 2005 01:01:32 +0000 : willmoy

Later cousin of http://drupal.org/node/27864 for 4.6.2


To reproduce:
- Take a page which is denied to anonymous users by node_privacy_byrole
- Go to it as an anonymous user
- Receive 404 error


cvs shares the same code for both the view and edit ops, so a slightly
larger patch




------------------------------------------------------------------------

Sun, 31 Jul 2005 01:03:25 +0000 : willmoy

Attachment: http://drupal.org/files/issues/27873-node.module-cvs.patch (977 bytes)

patch attached




------------------------------------------------------------------------

Sun, 31 Jul 2005 10:19:24 +0000 : Dries

That code is insecure and may lead to SQL injection attacks.







More information about the drupal-devel mailing list