[drupal-devel] [bug] 4.6.2 node.module incorrectly assumes 404 when access denied

Dries drupal-devel at drupal.org
Sun Jul 31 10:18:32 UTC 2005


Issue status update for 
http://drupal.org/node/27864
Post a follow up: 
http://drupal.org/project/comments/add/27864

 Project:      Drupal
 Version:      4.6.2
 Component:    node.module
 Category:     bug reports
 Priority:     normal
 Assigned to:  willmoy
 Reported by:  willmoy
 Updated by:   Dries
-Status:       patch (code needs review)
+Status:       patch (code needs work)

That code is insecure and may lead to SQL injection attacks.




Dries



Previous comments:
------------------------------------------------------------------------

Sat, 30 Jul 2005 19:58:15 +0000 : willmoy

To reproduce:
- Take a page which is denied to anonymous users by node_privacy_byrole
- Go to it as an anonymous user
- Receive 404 error


Note: this bug did not exist in 4.5.x




------------------------------------------------------------------------

Sat, 30 Jul 2005 20:23:02 +0000 : willmoy

Attachment: http://drupal.org/files/issues/27864-user.module-4.6.2.patch (686 bytes)

Tested patch against 4.6.2 branch attached.




------------------------------------------------------------------------

Sun, 31 Jul 2005 01:01:08 +0000 : willmoy

Attachment: http://drupal.org/files/issues/27864-node.module-4.6.2.patch (682 bytes)

New patch. Correctly handles both 403s and 404s. Adds an extra query to
verify which is happening.







More information about the drupal-devel mailing list