D8 follow-up for http://drupal.org/SA-CORE-2013-001

Description
When using the URL for the printer-friendly version of a book post, the only access check being done is against a user permission. This means it is possible that a user does not have node view access to a post, but they can still see the printer-friendly version of that post.

Discovered by mark.lindsey

CommentFileSizeAuthor
#12 book-node-access-1890748-12.patch4.1 KBklausi
#12 book-node-access-1890748-12-interdiff.txt2.4 KBklausi
#6 book-printer-friendly-1890748-6-TESTS-ONLY.patch1005 bytesDavid_Rothstein
#6 book-printer-friendly-1890748-6.patch4.03 KBDavid_Rothstein
#1 sdo-book-export-access-D7.patch1.34 KBpwolanin
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Status: Active » Patch (to be ported)
FileSize
sdo-book-export-access-D7.patch1.34 KB

For D8, there's cleanup to be done beyond the minimal sec fix.

For D7 we discussed changing the path to %node, which would mean we're passing $node into the page callback and other functions and that looks to me like we're breaking APIs which we didn't want to do in D7. We can, however, define a custom load function and do some later cleanup in public.

Attached patch is a starting point - an intermediate version I rolled of the fix that went into D7 that started modifying the router in a conservative way, but even thought was considered too breaking for D7.

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Priority: Major » Critical
plach’s picture

plach
he/him
Primary language Italian
Location Venezia
CreditAttribution: plach commented

Can we straightforwardly port the security fix and then work on cleaning it up with a lesser priority?

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented

@plach. The complexity of the 2 patches would be nearly the same, let's not put off simple fixes.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented

Yeah, in this case the code debt made what should have been an obvious patch (add a new access callback) into a more complicated issue for the security team, which is low on resources for core issues as it is... so it would be great to fix it here and prevent that problem in the future.

I would say in this issue we should at least switch to book/export/%/%node (arguably even book/export/html/%node, since contrib modules can easily define their own menu entries for alternative export methods if they want to; but that part might be out of scope).

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Status: Patch (to be ported) » Needs review
FileSize
book-printer-friendly-1890748-6.patch4.03 KB
book-printer-friendly-1890748-6-TESTS-ONLY.patch1005 bytes

Untested patch, but let's let the testbot test it...

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented

Above patch only switches to book/export/html/%node by the way.

Status: Needs review » Needs work
Issue tags: -Security Advisory follow-up, -security.drupal.org

The last submitted patch, book-printer-friendly-1890748-6.patch, failed testing.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Status: Needs work » Needs review
Issue tags: +Security Advisory follow-up, +security.drupal.org

#6: book-printer-friendly-1890748-6.patch queued for re-testing.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir commented 
+++ b/core/modules/book/book.moduleundefined
@@ -196,6 +197,16 @@ function book_menu() {
+ * @param Drupal\node\Node $node

Should be @param \Drupal\... :)

+++ b/core/modules/book/book.moduleundefined
@@ -196,6 +197,16 @@ function book_menu() {
+function _book_export_access($node) {
+  return user_access('access printer-friendly version') && node_access('view', $node);

Why mark this is a private function?

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented

Hm, well in both cases I just copied the way Book module was already doing it :)

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
CreditAttribution: klausi commented
FileSize
book-node-access-1890748-12-interdiff.txt2.4 KB
book-node-access-1890748-12.patch4.1 KB

Fixed Berdir's comments and added proper type hinting.

I would want to replace node_access() with $node->access(), but I guess the node access controller is not ready yet.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir commented
Status: Needs review » Reviewed & tested by the community

Looks good, has tests and fixes the bug.

The callback there is a bit tricky, as that seems to be pluggable, so someone could provide book/export/pdf/123. Might require a change notice?

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Title: Printer Friendly Version of Book Does Not Take Into Account Node Access » [Tests for] Printer Friendly Version of Book Does Not Take Into Account Node Access
Version: 8.x-dev » 7.x-dev
Priority: Critical » Normal
Status: Reviewed & tested by the community » Patch (to be ported)
Issue tags: +Needs backport to D7

Awesome work, folks.

Committed and pushed to 8.x. I think the tests should probably be backported to 7.x yes?

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
CreditAttribution: klausi commented
Title: [Tests for] Printer Friendly Version of Book Does Not Take Into Account Node Access » Printer Friendly Version of Book Does Not Take Into Account Node Access
Version: 7.x-dev » 8.x-dev
Status: Patch (to be ported) » Fixed
Issue tags: -Needs backport to D7

The test case for Drupal 7 has already been committed with the security fix.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Priority: Normal » Critical

Yup, comparing the Drupal 7 to Drupal 8 commits for these tests I don't see any differences.

Restoring original issue priority also.

Automatically closed -- issue fixed for 2 weeks with no activity.