Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
As learned during debugging #1179426: File module security fixes from SA-CORE-2011-001 not yet applied to Drupal 8 file_download
will return a 404 if no modules respond with headers. That's incorrect -- we know the file exists as the function checks for it already, we need to return 403 instead of a 404. Patch needs doxygen changes, possibly tests -- although writing tests are borderline trivial after the other issue went in because we just need to flip the final assertResponse to 403.
Comment | File | Size | Author |
---|---|---|---|
#5 | 1221214-5.patch | 1.87 KB | chx |
file_download_drupal_access_denied.patch | 325 bytes | chx | |
Comments
Comment #1
chx CreditAttribution: chx commentedComment #2
aaron CreditAttribution: aaron commentedfile_download_drupal_access_denied.patch queued for re-testing.
Comment #3
aaron CreditAttribution: aaron commentedworks as advertised.
Comment #4
aaron CreditAttribution: aaron commentedchx, what test needs changing? i only see the following, which looks correct to me:
Comment #5
chx CreditAttribution: chx commentedComment #6
chx CreditAttribution: chx commentedComment #7
tstoecklerI looked at the surrounding code and this patch really does make a lot of sense, and is self-documented.
The whole file API is a bit out of my league, though, so leaving for another review before RTBC.
Comment #8
aaron CreditAttribution: aaron commentedgreat! thanks, chx
Comment #9
xjmTagging issues not yet using summary template.
Comment #10
Dries CreditAttribution: Dries commentedCommitted to 7.x and 8.x. Thanks chx.