Hi,
i have installed ckeditor in a drupal project with module storage_api, solving an issue with storage api i found some cases where a call to file_download_access can cause infinite calls with other modules interactions.
The code in function ckeditor_file_download, checks that the file is not managed, but first it create the url, than can cause problems (in fact it is doing with storage api), i think that the call to that function can be moved after checking that the file is not managed. It is also more efficient.
This is the actual code:
function ckeditor_file_download($uri) {
if ($path = file_create_url($uri)) {
$result = db_query("SELECT f.* FROM {file_managed} f WHERE uri = :uri", array(':uri' => $uri));
foreach ($result as $record) {
return NULL;
}
//No info in DB? Probably a file uploaded with FCKeditor / CKFinder
I send a patch moving the if after firsts foreach:
function ckeditor_file_download($uri) {
$result = db_query("SELECT f.* FROM {file_managed} f WHERE uri = :uri", array(':uri' => $uri));
foreach ($result as $record) {
return NULL;
}
//No info in DB? Probably a file uploaded with FCKeditor / CKFinder
if ($path = file_create_url($uri)) {
Best
David
Comment | File | Size | Author |
---|---|---|---|
#7 | ckeditor-move_check_file_download-2437749-7.patch | 5.01 KB | Perignon |
#1 | ckeditor-move_check_file_download-2437749-1.patch | 1.73 KB | david.gil |
Comments
Comment #1
david.gil CreditAttribution: david.gil commentedhere is my patch.
Best
Comment #2
Perignon CreditAttribution: Perignon commentedAdding a related issue. This patch fixes issues where modules implement file access restrictions. Storage API's recent update implements better file access checking. Users using CKEditor module immediately had problems and issues when the security fix was put in place for Storage API.
Comment #3
Perignon CreditAttribution: Perignon commentedMarking as reviewed as some users of Storage API and myself have checked this patch.
Comment #5
Perignon CreditAttribution: Perignon commentedHrm. I'm going to recheck that patch. See if it might need re-rolling.
Comment #6
Perignon CreditAttribution: Perignon commentedI see the problem on the patch. It wasn't made against the module repo but the guys site installation. Rerolling...
Comment #7
Perignon CreditAttribution: Perignon commentedAttached is a re-rolled patch. Patch also fixes three or four coding standards things (one line IF statements) and more than one empty line at the end.
Comment #8
pdcarto CreditAttribution: pdcarto as a volunteer commented#7 patch solved the problem for me
Comment #9
SergFromSD CreditAttribution: SergFromSD commented#7 patched aslo solved the problem I had with storage api.
Comment #11
jcisio CreditAttribution: jcisio at Axess Open Web Services commentedI've removed all unnecessary change (to avoid conflict with #2550535: $plugin_settings['active'] is messing with features.) from the patch and committed it. Thanks.