[drupal-devel] [bug] cvs node.module incorrectly assumes 404 when
access denied
Dries
drupal-devel at drupal.org
Sun Jul 31 10:19:26 UTC 2005
Issue status update for
http://drupal.org/node/27873
Post a follow up:
http://drupal.org/project/comments/add/27873
Project: Drupal
Version: cvs
Component: node.module
Category: bug reports
Priority: normal
Assigned to: willmoy
Reported by: willmoy
Updated by: Dries
-Status: patch (code needs review)
+Status: patch (code needs work)
That code is insecure and may lead to SQL injection attacks.
Dries
Previous comments:
------------------------------------------------------------------------
Sun, 31 Jul 2005 01:01:32 +0000 : willmoy
Later cousin of http://drupal.org/node/27864 for 4.6.2
To reproduce:
- Take a page which is denied to anonymous users by node_privacy_byrole
- Go to it as an anonymous user
- Receive 404 error
cvs shares the same code for both the view and edit ops, so a slightly
larger patch
------------------------------------------------------------------------
Sun, 31 Jul 2005 01:03:25 +0000 : willmoy
Attachment: http://drupal.org/files/issues/27873-node.module-cvs.patch (977 bytes)
patch attached
More information about the drupal-devel
mailing list