Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This bug is a security risk in that information may be given to the anonymous users in global fashion.
Patch needs ported to 6.x-2.x as well.
Comment | File | Size | Author |
---|---|---|---|
#17 | xmlsitemap-view_user_profiles.patch | 1.57 KB | Anonymous (not verified) |
#6 | xmlsitemap-view_user_profiles.patch | 1.58 KB | Anonymous (not verified) |
xmlsitemap-view_user_profiles.patch | 890 bytes | Anonymous (not verified) | |
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedHere test bot.
Comment #2
Dave ReidSee xmlsitemap_user_requirements(). It's pointless to enable the module if you don't have the 'access user profiles' permission enabled. I don't consider this a security risk as disabling xmlsitemap_user should be done at that point as it's not needed.
Comment #4
Anonymous (not verified) CreditAttribution: Anonymous commentedI agree it is "pointless" but as "pointless" as it is the module should check the access and not list them in the sitemap.xml file making the associated requirement meaningful instead of meaningless.
Comment #5
Anonymous (not verified) CreditAttribution: Anonymous commentedI'm not certain that the test failure here is a result of my patching or a result of the test needing modified because of the patch. I don't see how this patch would cause a testBlockedUser() test to fail unless something else is wrong.
Comment #6
Anonymous (not verified) CreditAttribution: Anonymous commentedDoes this help?
Comment #8
Anonymous (not verified) CreditAttribution: Anonymous commentedOne more time
Comment #10
Anonymous (not verified) CreditAttribution: Anonymous commentedOk, why doesn't simpletest know about 'view user profiles'. Let's try this one.
Comment #12
Anonymous (not verified) CreditAttribution: Anonymous commentedTypo in last patch.
Comment #14
Anonymous (not verified) CreditAttribution: Anonymous commentedSo it isn't "view user profiles" it is "access user profiles" with a title of "View user profiles" just to make it confusing.
Comment #15
Anonymous (not verified) CreditAttribution: Anonymous commentedWith the file this time.
Comment #17
Anonymous (not verified) CreditAttribution: Anonymous commentedI finally figured out what I needed to change in xmlsitemap_user.test. Running core simpletest takes ~30 minutes on my WAMP just for this module and this is my first experience with simpletest. But this file should pass testbot now.
Comment #18
Dave ReidAgain I don't understand why this is necessary. We throw a big requirements check in xmlsitemap_user_requirements() for this. If we store access as 0 until the admin turns on the correct permission, we'd have to do a full rebuild of all user links. Without this patch, that would not be necessary.
Comment #19
interlated CreditAttribution: interlated commentedIn 7.x-2.0-rc2 I enabled xmlsitemap_user. Index user profiles was turned off but the error 'view user profiles' came up. I think this is dangerous as someone just responding to the error message would enable 'view user profiles' in response to the error message and not think about the implications.
I think it should only check for this permission when someone has asked for user profiles to be indexed.
Comment #20
Chris Matthews CreditAttribution: Chris Matthews commentedThe 7 year old patch in #17 to xmlsitemap_user.module and xmlsitemap_user.test applied cleanly to the latest xmlsitemap 7.x-2.x-dev and if still applicable needs review.