[drupal-devel] [bug] Bypass access via comments

chx drupal-devel at drupal.org
Sun Mar 20 09:31:39 UTC 2005


Issue status update for http://drupal.org/node/19009

 Project:      Drupal
 Version:      cvs
 Component:    comment.module
 Category:     bug reports
 Priority:     critical
 Assigned to:  chx
 Reported by:  nazadus
 Updated by:   chx
 Status:       patch
 Attachment:   http://drupal.org/files/issues/comment_reply_access_5.patch (1.65 KB)




chx



Previous comments:
------------------------------------------------------------------------

March 16, 2005 - 20:39 : nazadus

I believe I have found a bug.
If you goto http://www.etherpunk.com/comment/reply/180  (possibly NSFW)
it allows you to view the posting (while you don't have permission to
actually post, it still allows the page to get displayed).
I found this out by using awstats on my box and found that a hidden
page was getting hit fairly common that I really don't want getting
shown (well, it's on the web, I know... but... I'd rather have more
controlled access).
Does this belong in the comment section for not obeying TAC?
Can anyone confirm this on their site?
Kenny


------------------------------------------------------------------------

March 16, 2005 - 21:02 : pyromanfo

That's definitely something you need to take up with the comment module
guys.  It's not just taxonomy access control either, it's the core
node_access hooks in Drupal.  If they'll just check that before
displaying a node for reply, that'd fix it no problem.


------------------------------------------------------------------------

March 16, 2005 - 21:20 : moshe weitzman

filed under comment.module ... note that my big comment patch gets rid
of this page entirely (consolidates under comment/edit) so it might
make sense to apply my patch instead of fixing this.


------------------------------------------------------------------------

March 20, 2005 - 03:14 : chx

Attachment: http://drupal.org/files/issues/comment_reply_access.patch (1.36 KB)

moshe , http://drupal.org/node/18656 this does not seem to affect the
permissions of the comment/reply path.
I think the approach I have taken is blatantly simple: literally check
for access.


------------------------------------------------------------------------

March 20, 2005 - 03:24 : chx

Attachment: http://drupal.org/files/issues/comment_reply_access_0.patch (1.51 KB)




------------------------------------------------------------------------

March 20, 2005 - 03:37 : chx

Attachment: http://drupal.org/files/issues/comment_reply_access_1.patch (1.56 KB)




------------------------------------------------------------------------

March 20, 2005 - 03:38 : chx

Attachment: http://drupal.org/files/issues/comment_reply_access_2.patch (1.56 KB)




------------------------------------------------------------------------

March 20, 2005 - 09:48 : Anonymous

The discovery of this patch makes me wonder, whether we shouldn't
centralize the access controll a bit more.
If a core module can show this kind of bug, contrib modules will almost
certainly.  I propose to do a node_access() check inside node_load.
Gerhard


------------------------------------------------------------------------

March 20, 2005 - 10:03 : Anonymous

I also don't think that the patch is working.
node_access(arg(2)) should probably be node_access('view', $node) and
the node needs loading before.
Gerhard


------------------------------------------------------------------------

March 20, 2005 - 10:28 : chx

Attachment: http://drupal.org/files/issues/comment_reply_access_3.patch (1.61 KB)

OK, patch corrected.
I think adding node_access to node_load would break havoc 'cos there
are some routines (even in core) which do not check whether the
node_load was successful or not. This is a whole another topic, please
make another issue.
What we need, IMHO is to patch this quickly...


------------------------------------------------------------------------

March 20, 2005 - 10:31 : chx

Attachment: http://drupal.org/files/issues/comment_reply_access_4.patch (1.65 KB)

I also forgot to check whether node_load was successful or not...





More information about the drupal-devel mailing list