Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
D8 follow-up for http://drupal.org/SA-CORE-2013-001
Description
When using the URL for the printer-friendly version of a book post, the only access check being done is against a user permission. This means it is possible that a user does not have node view access to a post, but they can still see the printer-friendly version of that post.
Discovered by mark.lindsey
Comment | File | Size | Author |
---|---|---|---|
#12 | book-node-access-1890748-12.patch | 4.1 KB | klausi |
#12 | book-node-access-1890748-12-interdiff.txt | 2.4 KB | klausi |
#6 | book-printer-friendly-1890748-6-TESTS-ONLY.patch | 1005 bytes | David_Rothstein |
#6 | book-printer-friendly-1890748-6.patch | 4.03 KB | David_Rothstein |
#1 | sdo-book-export-access-D7.patch | 1.34 KB | pwolanin |
Comments
Comment #1
pwolanin CreditAttribution: pwolanin commentedFor D8, there's cleanup to be done beyond the minimal sec fix.
For D7 we discussed changing the path to %node, which would mean we're passing $node into the page callback and other functions and that looks to me like we're breaking APIs which we didn't want to do in D7. We can, however, define a custom load function and do some later cleanup in public.
Attached patch is a starting point - an intermediate version I rolled of the fix that went into D7 that started modifying the router in a conservative way, but even thought was considered too breaking for D7.
Comment #2
catchComment #3
plachCan we straightforwardly port the security fix and then work on cleaning it up with a lesser priority?
Comment #4
pwolanin CreditAttribution: pwolanin commented@plach. The complexity of the 2 patches would be nearly the same, let's not put off simple fixes.
Comment #5
David_Rothstein CreditAttribution: David_Rothstein commentedYeah, in this case the code debt made what should have been an obvious patch (add a new access callback) into a more complicated issue for the security team, which is low on resources for core issues as it is... so it would be great to fix it here and prevent that problem in the future.
I would say in this issue we should at least switch to
book/export/%/%node
(arguably evenbook/export/html/%node
, since contrib modules can easily define their own menu entries for alternative export methods if they want to; but that part might be out of scope).Comment #6
David_Rothstein CreditAttribution: David_Rothstein commentedUntested patch, but let's let the testbot test it...
Comment #7
David_Rothstein CreditAttribution: David_Rothstein commentedAbove patch only switches to
book/export/html/%node
by the way.Comment #9
David_Rothstein CreditAttribution: David_Rothstein commented#6: book-printer-friendly-1890748-6.patch queued for re-testing.
Comment #10
BerdirShould be @param \Drupal\... :)
Why mark this is a private function?
Comment #11
David_Rothstein CreditAttribution: David_Rothstein commentedHm, well in both cases I just copied the way Book module was already doing it :)
Comment #12
klausiFixed Berdir's comments and added proper type hinting.
I would want to replace node_access() with $node->access(), but I guess the node access controller is not ready yet.
Comment #13
BerdirLooks good, has tests and fixes the bug.
The callback there is a bit tricky, as that seems to be pluggable, so someone could provide book/export/pdf/123. Might require a change notice?
Comment #14
webchickAwesome work, folks.
Committed and pushed to 8.x. I think the tests should probably be backported to 7.x yes?
Comment #15
klausiThe test case for Drupal 7 has already been committed with the security fix.
Comment #16
David_Rothstein CreditAttribution: David_Rothstein commentedYup, comparing the Drupal 7 to Drupal 8 commits for these tests I don't see any differences.
Restoring original issue priority also.