[views] Add D6 patch for SA-CONTRIB-2017-022

Thanks for fixing up the patch and posting here!

Looks good for me!

Two bugs with this, one is trivial, one not so much:

1. db_rewrite_sql() has an $args parameter - dsnopek fixed my original patch which stopped passing $args to db_query(), but they should technically be passed to db_rewrite_sql() too. However I couldn't find a single implementation of db_rewrite_sql() that actually uses that param.

2. More importantly the original views queries are often written like SELECT td.* FROM term_data WHERE tid = %d. This is OK when not rewritten, but tac_lite adds a join, and you end up with 'ambiguous column tid in query' errors, needs to be td.tid = %d instead.

The fix is after the WHERE (you can't fix it in the SELECT as modules often check things like 'n' or 'td' etc).

@dsnopek I tested with tac_lite and confirmed it fixed both the security issue (404 instead of showing term with empty listing) and didn't throw the warning. I had to head scratch a bit on exactly where the bug was as well.

I think it's ready to go, my testing wasn't 100% comprehensive but definitely caught one place and it's the same change on each query so I think it's OK.

Not sure if this is related but started seeing this in the logs and relates to tid mentions above being ambiguous.

Column 'name' in field list is ambiguous query: SELECT name FROM term_data td LEFT JOIN term_data tac_td ON td.tid = tac_td.tid WHERE (td.tid IN (0, 0, 0) OR tac_td.vid NOT IN (2)) AND ( td.tid IN (4031)) in views_handler_argument_term_node_tid.inc on line 43.

Attached is a patch.

Yes this patch broke a few views for me, all of which use taxonomy filters or arguments. There are a few unprefixed "SELECT *" statements that fail when passed to db_rewrite_sql when using a node access module (in my case forum_access) as it can add more tables to the query and you get ambiguous column name errors. The previous patch on #16 doesn't catch all the potential errors. I made a github pull request with patches attached to this post here:
https://github.com/d6lts/views/pull/2/files

Good find, thanks for posting the patch.

There was another issue in the original patch, found by Fabianx. It shouldn't be a bug in practice, but if we're going to update the patch, better to do it once:

- Core uses 't', 'tid'
- The patch uses 'td', 'tid'

Neither tac_lite nor taxonomy_access (the two modules I am aware of) check the table name though.

i18ntaxonomy does check for 't' or 'v' in table, but obviously that is not security critical, but is how I noticed the mismatch.

### Examples

Core:

- https://api.drupal.org/api/drupal/modules%21taxonomy%21taxonomy.module/f...

The docs for db_rewrite_sql() only mention using the full table names vs. the 'usual table aliases' (all one-letter). It's not a requirement but there's the potential for it being used as an implicit API if core's consistent.

Going to mark CNW for that, it's just a change from td to t everywhere for the alias.

Addressing 'td' being 't' from @catch.

I also haven't tested this yet, but visually it looks great.

#20 is an interdiff against #6.

Here's a combined patch that will apply against views-6.x-3.2

Tested fine for me, so moving to RTBC.