This security hole was fixed inthe last Drupal core rlease and thus should be ported to HEAD asap.
Users who may write translations for nodes are able to write translations
by using e.g.
/node/add/page?translation=209&language=enIf the user has no access to the node with the id 209 he can still open
this page and sees the values of all fields the content types share - so
the user can easily read the title & the body of the node.
Attached patch is what was committed to 6.x
Comment | File | Size | Author |
---|---|---|---|
#16 | 361648-grndlvl-16.patch | 4.52 KB | grndlvl |
#15 | 361648-grndlvl-15.patch | 4.54 KB | grndlvl |
#13 | 361648-access-bypass-translation-rev5.patch | 4.39 KB | brianV |
#10 | 361648-access-bypass-translation-rev4.patch | 4.38 KB | brianV |
#8 | 361648-access-bypass-translation-rev3.patch | 4.32 KB | brianV |
Comments
Comment #1
pwolanin CreditAttribution: pwolanin commentedtagging
Comment #2
dmitrig01 CreditAttribution: dmitrig01 commenteduntested
Comment #4
brianV CreditAttribution: brianV commentedRerolled for HEAD with a few newlines added for readability.
Comment #6
brianV CreditAttribution: brianV commentedDoh. Nothing changes in translation.module since March, then 30 minutes after I submit a patch, it gets updated...
Oh well, found a few things that needed to be changed when I looked at it again with fresh eyes. New patch attached.
Comment #8
brianV CreditAttribution: brianV commentedThat's what I get for submitting patches before I've had my morning coffee.
Comment #10
brianV CreditAttribution: brianV commentedI need to get simpletest running on my machine...
Comment #12
brianV CreditAttribution: brianV commentedOk, I officially give up for now.
The failing portion is below:
If someone knows how to get at the format for the node body, that is all that is preventing this one from passing all the tests.
Comment #13
brianV CreditAttribution: brianV commentedComment #15
grndlvl CreditAttribution: grndlvl commentedShould use $source_node->language as the key to get body from the source node. Because the source node body could be any language.
I think...
Comment #16
grndlvl CreditAttribution: grndlvl commenteddon't know what i was thinking should just assign $source_node->body to $node->body.
Changed the following:
Comment #17
brianV CreditAttribution: brianV commented@grndlvl
Thanks for finishing this one off. I just couldn't seem to get that section right!
Anyways, it looks good to me, and is a faithful adaption of the D6 patch.
Comment #19
klausiTests passed, setting back to RTBC.
Comment #20
webchickCommitted to HEAD, thanks!