[drupal-devel] Contributions: missing access checks
Dries Buytaert
dries at buytaert.net
Sat Jan 22 13:54:11 UTC 2005
For node-level permissions to work and to be secure, you must wrap most
SQL queries that join the node table in a call to node_rewrite_sql().
See http://drupal.org/node/12347 for details.
Note that the lists below probably contain false-positives!
Nonetheless, it is recommended that you double-check your modules based
on the information below.
1. The following modules still use node_access_join() and
node_access_where_sql(), the old DRUPAL-4-5 access check mechanism, and
need to be updated to HEAD:
./modules/buddylist/buddylist.module
./modules/ecommerce/product/product.module
./modules/event/event.module
./modules/import_export/import_export.module
./modules/keyword_links/keyword_links.module
./modules/postcard/postcard.module
./modules/project/project.module
./modules/quotes/quotes.module
./modules/recipe/recipe.module
./modules/remindme/remindme.module
./modules/weblink/weblink.module
./sandbox/axel/akvaforum/akvaforum.module
./sandbox/ber/flexinode_blog/blog.module
./sandbox/nysus/newsfeed/newsfeed.module
2. The following modules query the node table but do not appear to use
access checks. One or more of their queries against the node table do
not use node_rewrite_sql() (HEAD), node_access_join() (DRUPAL-4-5) or
node_access_where_sql() (DRUPAL-4-5). These modules might fail to work
with node-level permissions which would be both insecure and confusing:
./modules/admnotify/admnotify.module
./modules/atom/atom.module
./modules/bookmarks/bookmarks.module
./modules/buddylist/buddylist.module
./modules/commentrss/commentrss.module
./modules/copyright/copyright.module
./modules/daily/daily.module
./modules/ecommerce/parcel/parcel.module
./modules/filestore/filestore.module
./modules/filestore2/filestore2.module
./modules/flexinode/flexinode.module
./modules/friendlist/friendlist.module
./modules/image/image.module
./modules/image_browse/image_browse.module
./modules/image_filter/image_filter.module
./modules/img_assist/img_assist.module
./modules/import_export/import_export.module
./modules/inactive_user/inactive_user.module
./modules/listhandler/listhandler.module
./modules/mail/mail.module
./modules/mail_archive/mail_archive.module
./modules/navigation/navigation.module
./modules/navtable/navtable.module
./modules/node_aggregator/feed.module
./modules/node_aggregator/item.module
./modules/node_privacy_byrole/node_privacy_byrole.module
./modules/og/og.module
./modules/periodical/periodical.module
./modules/popup/popup.module
./modules/postcount_rank/postcount_rank.module
./modules/project/project.module
./modules/quotes/quotes.module
./modules/review/review.module
./modules/scheduler/scheduler.module
./modules/series/series.module
./modules/sidebar/sidebar.module
./modules/spam/spam.module
./modules/subscriptions/subscriptions.module
./modules/syndication/syndication.module
./modules/taxnav/taxnav.module
./modules/taxonomy_access/taxonomy_access.module
./modules/taxonomy_block/taxonomy_block.module
./modules/taxonomy_dhtml/taxonomy_dhtml.module
./modules/textile/textile.module
./modules/title/title.module
./modules/translation/translation.module
./modules/userposts/userposts.module
./modules/volunteer/volunteer.module
./modules/wiki/wiki.module
./sandbox/adrian/modules/weblink.module
./sandbox/ber/flexinode_blog/blog.module
./sandbox/ber/multilingual/multilingual.module
./sandbox/ber/nodeadmin/node.module
./sandbox/ber/related/related.module
./sandbox/geek/activity/activity.module
./sandbox/gordon/image/image.module
./sandbox/jareyero/image/image.module
./sandbox/jareyero/image/imagegallery.module
./sandbox/jseng/drupal4blog/modules/archive.module
./sandbox/jseng/drupal4blog/modules/atom.module
./sandbox/jseng/drupal4blog/modules/blog.module
./sandbox/jseng/drupal4blog/modules/blogapi.module
./sandbox/jseng/drupal4blog/modules/book.module
./sandbox/jseng/drupal4blog/modules/comment.module
./sandbox/jseng/drupal4blog/modules/forum.module
./sandbox/jseng/drupal4blog/modules/node.module
./sandbox/jseng/drupal4blog/modules/page.module
./sandbox/jseng/drupal4blog/modules/ping.module
./sandbox/jseng/drupal4blog/modules/poll.module
./sandbox/jseng/drupal4blog/modules/queue.module
./sandbox/jseng/drupal4blog/modules/statistics.module
./sandbox/jseng/drupal4blog/modules/subscriptions.module
./sandbox/jseng/drupal4blog/modules/taxonomy.module
./sandbox/jseng/drupal4blog/modules/title.module
./sandbox/junyor/comment.module
./sandbox/junyor/notify/notify.module
./sandbox/killes/catalog/catalog.module
./sandbox/killes/event.module
./sandbox/killes/flexinode.module
./sandbox/killes/speed-drupal/modules/statistics/statistics.module
./sandbox/marco/fileapi/filestore.module
./sandbox/marco/fileapi/pgallery.module
./sandbox/mathias/modules/breadcrumb/breadcrumb.module
./sandbox/mathias/modules/indexof/indexof.module
./sandbox/nedjo/modules/mapbuilder/mapbuilder.module
./sandbox/pablobm/modules/comment.module
./sandbox/stefan/image/image.module
./sandbox/stefan/image/imagegallery.module
./sandbox/tapio/todos/todos.module
3. The following contributed modules have been updated to use
node_rewrite_sql():
<empty list>
4. I found several violations in core as well. Several queries in core
need to be reviewed and updated.
--
Dries Buytaert :: http://www.buytaert.net/
More information about the drupal-devel
mailing list