See: https://www.drupal.org/SA-CORE-2015-003
http://cgit.drupalcode.org/drupal/commit/?h=7.x&id=731dfacab8bf39918c135...
Users without the "access content" permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.
This issue needs verifying against Drupal 8, since so much of the menu system was changed.
Credit for the D6/D7 version of this patch (the security release):
David_Rothstein, matt2000, scor, greggles, meichr, larowlan
Comment | File | Size | Author |
---|---|---|---|
#12 | tests_for_information-2554239-12.patch | 2.19 KB | StryKaizer |
#10 | tests_for_information-2554239-10.patch | 1.88 KB | StryKaizer |
#9 | tests_for_information-2554239-9.patch | 1.84 KB | StryKaizer |
#5 | Screenshot 2015-08-20 16.52.25.png | 151.46 KB | larowlan |
#3 | Screen Shot 2015-08-19 at 8.11.43 PM.png | 97.63 KB | webchick |
Comments
Comment #2
webchickGoing to attempt to verify this one.
Comment #3
webchickNope, this isn't an issue in Drupal 8.
Steps to reproduce (/via David_Rothstein):
1. Create a node and add it to the main menu.
2. Remove the "access content" permission from anonymous users.
3. Log out and view the home page.
Works as expected.
Comment #4
webchickComment #5
larowlanConfirming cannot reproduce in D8
Comment #6
dawehnerIs it just me or should we maybe have some dedicated test coverage for it? I mean its like a regression we should absolute never have again.
Comment #7
webchickThat's true. We could totally do that.
Comment #8
webchickComment #9
StryKaizerHere's a test for D8.
As noted, this test does not fail, since this bug is not an issue at this moment in d8.
Comment #10
StryKaizerDocumentation fixes
Comment #11
stefan.r CreditAttribution: stefan.r commentedNit: needs a newline between these.
s/fields/menu links/
Nit: Bracket notation.
Missing full stop.
Just to isolate this test to the "access content" permission, can we give just that permission to the anonymous user and assert that the link is there?
Nit: missing newline before class closing bracket.
Comment #12
StryKaizer@stefan.r: Thanks for the review!
Attached you'll find a revised patch
Comment #13
stefan.r CreditAttribution: stefan.r commentedThis looks great now as it tests for the same D7 vulnerability!
Just a nit: you missed converting the 4 other array()s and the first menu link assertion out of the 3 isn't necessary.
Comment #14
jibranLooks fine. It'd be great if we can mention https://www.drupal.org/SA-CORE-2015-003 in someplace inside the test.
Comment #15
webchickGrepped around a bit, and the format seems to be:
...right above the test.
So added this:
(We seem to have dropped "DRUPAL" from the SAs sometime.)
...and committed/pushed to 8.0.x. Thanks!
Comment #17
jibranThank you @webchick for fixing that on commit. :)
Comment #18
webchickOops, meant to do this.