It turns out that media module has a very similar vulnerability to http://drupal.org/node/798044
This was discovered by Joshua Rogers. Media only has a 7.x alpha release, so
I'm opening a public issue for this per Drupal Security Team policy.

Looking at the code, this is something new to look at - it's taking
what it thinks is a URL/URI but never validated that it has a scheme.
This may be a more prominent problem in Drupal 7 when we think we're
getting a URI, but many PHP functions will use a local path.

report from him:

I found out that I could get the media module to grab any file in the
local file system. I have a feeling this is not intended behavior.

CommentFileSizeAuthor
#2 798478-meedia-file-disclosure-3.patch1.32 KBpwolanin
#1 798478-meedia-file-disclosure-1.patch1.26 KBpwolanin
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Status: Active » Needs review
FileSize
798478-meedia-file-disclosure-1.patch1.26 KB

First, untested pass at a fix.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
FileSize
798478-meedia-file-disclosure-3.patch1.32 KB

oops - apparently we don't actually do *any* validation yet so the above patch breaks legit use too.

the skips the check for a NULL uri being returned.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Status: Needs review » Fixed

http://drupal.org/cvs?commit=366906

Jacob committed with added fix.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.