[drupal-devel] [bug] 4.6.2 node.module incorrectly assumes 404 when
access denied
Dries
drupal-devel at drupal.org
Sun Jul 31 10:18:32 UTC 2005
Issue status update for
http://drupal.org/node/27864
Post a follow up:
http://drupal.org/project/comments/add/27864
Project: Drupal
Version: 4.6.2
Component: node.module
Category: bug reports
Priority: normal
Assigned to: willmoy
Reported by: willmoy
Updated by: Dries
-Status: patch (code needs review)
+Status: patch (code needs work)
That code is insecure and may lead to SQL injection attacks.
Dries
Previous comments:
------------------------------------------------------------------------
Sat, 30 Jul 2005 19:58:15 +0000 : willmoy
To reproduce:
- Take a page which is denied to anonymous users by node_privacy_byrole
- Go to it as an anonymous user
- Receive 404 error
Note: this bug did not exist in 4.5.x
------------------------------------------------------------------------
Sat, 30 Jul 2005 20:23:02 +0000 : willmoy
Attachment: http://drupal.org/files/issues/27864-user.module-4.6.2.patch (686 bytes)
Tested patch against 4.6.2 branch attached.
------------------------------------------------------------------------
Sun, 31 Jul 2005 01:01:08 +0000 : willmoy
Attachment: http://drupal.org/files/issues/27864-node.module-4.6.2.patch (682 bytes)
New patch. Correctly handles both 403s and 404s. Adds an extra query to
verify which is happening.
More information about the drupal-devel
mailing list