Comment module security fix from SA-CORE-2011-003 not yet applied to Drupal 8

See SA-CORE-2011-003 - there is an access bypass issue in Comment module that was fixed in Drupal 7. This fix needs to be applied to the 8.x development branch also.

I've uploading the patch from Drupal 7 to this issue (taken from http://drupalcode.org/project/drupal.git/patch/b38a806). It seems to apply to D8, but beyond that I haven't checked that it's good.

Comment	File	Size	Author
	b38a806.patch	2.28 KB	David_Rothstein

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

Anonymous (not verified) CreditAttribution: Anonymous commented 21 October 2011 at 17:38

Status:

Needs review

» Reviewed & tested by the community

Tested and it works.

I added a fielfield with Private access to the comment. I then created a node, commented with a file on the node, and unpublished the node.

When I visited with an anonymous user, without the patch I had access to the file. With the patch, I did not.

RTBC.

Log in or register to post comments

Comment #2

he/him

English

CreditAttribution: catch commented 22 October 2011 at 04:32

Status:

Reviewed & tested by the community

» Fixed

Thanks! Committed and pushed to 8.x.

Log in or register to post comments

Comment #3

5 November 2011 at 04:40

Automatically closed -- issue fixed for 2 weeks with no activity.

Log in or register to post comments