It turns out that media module has a very similar vulnerability to http://drupal.org/node/798044
This was discovered by Joshua Rogers. Media only has a 7.x alpha release, so
I'm opening a public issue for this per Drupal Security Team policy.
Looking at the code, this is something new to look at - it's taking
what it thinks is a URL/URI but never validated that it has a scheme.
This may be a more prominent problem in Drupal 7 when we think we're
getting a URI, but many PHP functions will use a local path.
report from him:
I found out that I could get the media module to grab any file in the
local file system. I have a feeling this is not intended behavior.
Comment | File | Size | Author |
---|---|---|---|
#2 | 798478-meedia-file-disclosure-3.patch | 1.32 KB | pwolanin |
#1 | 798478-meedia-file-disclosure-1.patch | 1.26 KB | pwolanin |
Comments
Comment #1
pwolanin CreditAttribution: pwolanin commentedFirst, untested pass at a fix.
Comment #2
pwolanin CreditAttribution: pwolanin commentedoops - apparently we don't actually do *any* validation yet so the above patch breaks legit use too.
the skips the check for a NULL uri being returned.
Comment #3
pwolanin CreditAttribution: pwolanin commentedhttp://drupal.org/cvs?commit=366906
Jacob committed with added fix.