Problem/Motivation
openomega_preprocess_region
caches the result of calling menu_tree_output
, basing the cache key solely on the language. This means that if menu items have access controls based on anything other than language, incorrect output can occur.
The particular example which affected me is that I created a custom page with role-based access (courtesy of ctools). A race condition then ensues. If the first person to load a page after clearing cache has the role, everyone sees the menu item whether or not they have it. If the first person to load a page doesn't have the role, no-one sees it.
Proposed resolution
As a workaround, removing the calls to cache_get
and cache_set
from template.php
suffices.
A more involved fix might attempt to replace the i18n_menu_localize_tree
invocation with a hook into _menu_link_translate
, pushing all of the responsibility for caching into menu.inc
.
Comments
Comment #1
hefox CreditAttribution: hefox commentedMoving to security issue queue
Comment #2
hefox CreditAttribution: hefox commentedThis went out fixed today as a security issue via https://drupal.org/node/2070039
As a reminder, please report security/access bypass issues to the security team via the "Report a security issue" link.
Thanks