This security hole was fixed inthe last Drupal core rlease and thus should be ported to HEAD asap.

Users who may write translations for nodes are able to write translations
by using e.g.
/node/add/page?translation=209&language=en

If the user has no access to the node with the id 209 he can still open
this page and sees the values of all fields the content types share - so
the user can easily read the title & the body of the node.

Attached patch is what was committed to 6.x

CommentFileSizeAuthor
#16 361648-grndlvl-16.patch4.52 KBgrndlvl
#15 361648-grndlvl-15.patch4.54 KBgrndlvl
#13 361648-access-bypass-translation-rev5.patch4.39 KBbrianV
#10 361648-access-bypass-translation-rev4.patch4.38 KBbrianV
#8 361648-access-bypass-translation-rev3.patch4.32 KBbrianV
#6 361648-access-bypass-translation-rev2.patch4.34 KBbrianV
#4 361648-access-bypass-translation.patch3.79 KBbrianV
#2 translations-node-access.patch3.55 KBdmitrig01
translations-node-access_3.patch2.98 KBpwolanin
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Issue tags: +Security Advisory follow-up

tagging

dmitrig01’s picture

dmitrig01 CreditAttribution: dmitrig01 commented
Status: Patch (to be ported) » Needs review
FileSize
translations-node-access.patch3.55 KB

untested

Status: Needs review » Needs work

The last submitted patch failed testing.

brianV’s picture

brianV CreditAttribution: brianV commented
Status: Needs work » Needs review
FileSize
361648-access-bypass-translation.patch3.79 KB

Rerolled for HEAD with a few newlines added for readability.

Status: Needs review » Needs work

The last submitted patch failed testing.

brianV’s picture

brianV CreditAttribution: brianV commented
Status: Needs work » Needs review
FileSize
361648-access-bypass-translation-rev2.patch4.34 KB

Doh. Nothing changes in translation.module since March, then 30 minutes after I submit a patch, it gets updated...

Oh well, found a few things that needed to be changed when I looked at it again with fresh eyes. New patch attached.

Status: Needs review » Needs work

The last submitted patch failed testing.

brianV’s picture

brianV CreditAttribution: brianV commented
Status: Needs work » Needs review
FileSize
361648-access-bypass-translation-rev3.patch4.32 KB

That's what I get for submitting patches before I've had my morning coffee.

Status: Needs review » Needs work

The last submitted patch failed testing.

brianV’s picture

brianV CreditAttribution: brianV commented
Status: Needs work » Needs review
FileSize
361648-access-bypass-translation-rev4.patch4.38 KB

I need to get simpletest running on my machine...

Status: Needs review » Needs work

The last submitted patch failed testing.

brianV’s picture

brianV CreditAttribution: brianV commented

Ok, I officially give up for now.

The failing portion is below:

// If user has no access to the filter used for the body, Drupal core
+    // does not let the edit form to appear, so we should avoid exposing
+    // the source text here too.
+    $formats = filter_formats();
+    $node->body = filter_access($formats[$source_node->body['zxx'][0]['format']]) ? $source_node->body : '';

If someone knows how to get at the format for the node body, that is all that is preventing this one from passing all the tests.

brianV’s picture

brianV CreditAttribution: brianV commented
Status: Needs work » Needs review
FileSize
361648-access-bypass-translation-rev5.patch4.39 KB

Status: Needs review » Needs work

The last submitted patch failed testing.

grndlvl’s picture

grndlvl CreditAttribution: grndlvl commented
Status: Needs work » Needs review
FileSize
361648-grndlvl-15.patch4.54 KB

The failing portion is below:

<?php
// If user has no access to the filter used for the body, Drupal core
+    // does not let the edit form to appear, so we should avoid exposing
+    // the source text here too.
+    $formats = filter_formats();
+    $node->body = filter_access($formats[$source_node->body['zxx'][0]['format']]) ? $source_node->body : '';
?>

Should use $source_node->language as the key to get body from the source node. Because the source node body could be any language. 

<?php
$node->body[$node->language][0] = (filter_access($formats[$source_node->body[$source_node->language][0]['format']])) ? $source_node->body[$source_node->language][0] : '';
?>

I think...

grndlvl’s picture

grndlvl CreditAttribution: grndlvl commented
FileSize
361648-grndlvl-16.patch4.52 KB

don't know what i was thinking should just assign $source_node->body to $node->body.
Changed the following:

<?php 
$node->body = (filter_access($formats[$source_node->body[$source_node->language][0]['format']])) ? $source_node->body : '';
?>
brianV’s picture

brianV CreditAttribution: brianV commented
Status: Needs review » Reviewed & tested by the community

@grndlvl

Thanks for finishing this one off. I just couldn't seem to get that section right!

Anyways, it looks good to me, and is a faithful adaption of the D6 patch.

Status: Reviewed & tested by the community » Needs review

Re-test of 361648-grndlvl-16.patch from comment #16 was requested by webchick.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
CreditAttribution: klausi commented
Status: Needs review » Reviewed & tested by the community

Tests passed, setting back to RTBC.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Reviewed & tested by the community » Fixed

Committed to HEAD, thanks!

Status: Fixed » Closed (fixed)
Issue tags: -Security Advisory follow-up

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +Security Advisory follow-up

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.