Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This module has been marked as unsupported due to SA-CONTRIB-2015-104, which references the possibility of a user with administrative access to Dynamic Display Blocks being able to view the title of content for which the user has no access.
This patch will enforce node access permissions on the list of nodes that can be seen by the user in administrative or view mode.
Comment | File | Size | Author |
---|---|---|---|
#9 | sdo-102693-ddblock-node-access-d7-2.patch | 4.19 KB | ppblaauw |
#9 | sdo-102693-ddblock-node-access-d6-2.patch | 2.26 KB | ppblaauw |
Comments
Comment #1
roball CreditAttribution: roball commentedAccording to the stats, around 16,000 sites are still using this module. Do you want to follow option 2 of the module unsupported notice?
"File an issue in the queue with a patch to fix the module and then contact the security team to have your version reviewed and the project handed over to you following the unsupported project process."
Comment #2
hdbonnett CreditAttribution: hdbonnett commentedI sent a message to security after I created this issue asking for a review. If they accept the patch and grant me commit access, I'll push the change out so the module will be supported again and also backport the code to Drupal 6. I'm not in a position time-wise to tackle most of the other open issues in the queue, but I'll see what I can close without major work.
Comment #3
roball CreditAttribution: roball commentedThank you!
Comment #4
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedI was the original reporter of this issue to the security team.
Here's a patch for Drupal 7 I included along with my report (and a Drupal 6 backport of it by benjy).
This uses a different technique than the patch above - it modifies the database query directly to respect node access there.
One other difference is that my patch does not modify _ddblock_get_content_array() also, but the patch posted here does. I haven't looked into it to see if that's necessary or not.
Hope this helps...
Comment #5
hdbonnett CreditAttribution: hdbonnett commentedI think @David_Rothstein's patch is more compliant with Drupal practices than mine and is thus preferable. I had added the node_access filter to __dd_get_content_array since it wasn't checking access rights either, so I would suggest we apply the same tag there. I'll take David's patch, add the second tag and test it for 6 and 7. Assuming all looks fine, we can then see about getting the patch committed.
Comment #6
ppblaauw CreditAttribution: ppblaauw commentedPosted patches on the original issue
Comment #7
edminn CreditAttribution: edminn commentedSo David Rothstein's patches are the ones to use? Where's the original issue?
Comment #8
hdbonnett CreditAttribution: hdbonnett commentedI have implemented David Rothstein's patch for v7 (against 7.x-1.x-dev) and tested access control. With this patch, the restricted content item's title is not visible to a user who does not have access to it. I will try to get the time to test the v6 patch this week as well.
Given the simple nature of the change, I don't know that we need more than one other to test before the change is committed. @roball, are you able to do this?
Comment #9
ppblaauw CreditAttribution: ppblaauw as a volunteer commentedPatches which were posted in the original issue:
Comment #10
roball CreditAttribution: roball commentedComment #11
edminn CreditAttribution: edminn commentedAre these patches going to be committed so that the module isn't flagged as unsupported anymore? I'd rather wait until that happens to modify code further.
Comment #12
ppblaauw CreditAttribution: ppblaauw as a volunteer commented@ edminn As soon as the issue is reviewed & tested by community the patches will be comitted
Comment #13
hdbonnett CreditAttribution: hdbonnett commentedI have tested this for 7.x-1.x-dev and can confirm the changes do remove access to a restricted node.
Comment #14
Zoltan Komar CreditAttribution: Zoltan Komar commentedTested, and working fine for me. #9
Comment #15
roball CreditAttribution: roball commentedSo patch at #9 should be committed to 7.x-1.x, right?
Comment #16
edminn CreditAttribution: edminn commentedUnfortunately, I don't have command line access for this client. Is there an alternate method for applying the patches?
Comment #17
Pere OrgaPatch looks good to me too. Let me know when you create the security release and I'll remove the red banner from the project page, publish the release and update the advisory.
Comment #18
ppblaauw CreditAttribution: ppblaauw as a volunteer commentedCreated releases and updated the advisory
Comment #19
roball CreditAttribution: roball commentedConfused because still, no commits are shown.
Comment #20
Pere OrgaI've checked that the commits went into the release and published them. Everything should be ok now.
Thanks
Comment #21
gregglesI don't see them at https://www.drupal.org/node/293705/commits nor as comments in this issue.
I don't see them in the 7.x-1.x log in git: http://cgit.drupalcode.org/ddblock/log/ddblock.module?h=7.x-1.x
From the summary page at http://cgit.drupalcode.org/ddblock/ I do see new tags that seem to be associated with the commit.
So, it seems like there's a bit of cleanup necessary to ensure that these patches will be in future 7.x-1.x releases.
Comment #22
Pere OrgaThe patch went into the 7.x-1.1 release, I checked the source before publishing it.
Probably the tag was pushed but not the commits.
Comment #23
Pere OrgaActually, this only pushes the tags, not the branches:
git push --tags
This should be done instead:
git push
git push --tags
Maybe we should consider option 1 when fixing a vulnerability in private. That way the commits would be less discoverable (the branches could be pushed a bit later, after the release and the advisory have been published)
Comment #24
gregglesYes, I agree it appears to be in the release. Thanks for confirming it!
Comment #25
roball CreditAttribution: roball commentedStrange that two days after 6.x-1.0-rc7 has been released, the update module still reports that the installed version 6.x-1.0-rc6 is not supported and that the module should be removed, instead of recommending updating to rc7.
Comment #26
greggles@roball there's a bug in updates.drupal.org right now - should be fixed in a few days. I asked someone to clear the cache on this url manually to help get this update out.
Comment #27
roball CreditAttribution: roball commentedThank you @greggles, now 6.x-1.0-rc7 came through the update process.
Comment #28
roball CreditAttribution: roball commented6.x-1.0-rc7 is completely messed up! If you update 6.x-1.0-rc6 to rc7, the dynamic blocks will no longer work! Thus, I had to revert to rc6 and manually apply the patch that has been applied with pushing the tag 6.x-1.0-rc7:
Comment #29
Pere OrgaThis is unlikely to have happened by the patch. Probably the patch was applied to a branch that had many other changes and was not fully tested, that's unfortunate. Maybe an easy way to fix that would be creating a 6.x-1.0-rc8 release just applying the patch against 6.x-1.0-rc6 code?
Anyway, please can you create a follow-up and post the link here? So we can close this.
Comment #30
roball CreditAttribution: roball commentedI agree to release 6.x-1.0-rc8 which just has the patch applied against 6.x-1.0-rc6 code. Follow-up issue created at #2506573: 6.x-1.0-rc7 is broken. Thanks.
Comment #31
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedYes, for Drupal 6 too.
Running either of these:
shows that the patch is not present on 6.x-1.x or 7.x-1.x, only on the latest tagged releases.
Comment #32
ppblaauw CreditAttribution: ppblaauw as a volunteer commentedI don't know how to create a new release from the rc6 version of the module, see my question at:
#2506573: 6.x-1.0-rc7 is broken
From comment #31, I understand I should first update the changes to 6.x-1.x and 7.x-1.x and then create a new release from dev.
I think there where changes in the 6.x-1.x version a long time ago and I mistakenly adjusted the code to that version to create the rc7 release.
Will try to find out what are the difference in the different branches and tags and update code when I know how to do it the good way.
Comment #33
ppblaauw CreditAttribution: ppblaauw as a volunteer commentedCreated the new rc8 release.
Comment #34
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedI just did a git pull and the issue is still present in the latest code on the 6.x-1.x and 7.x-1.x branches. You basically just need to commit the patches to the 6.x-1.x and 7.x-1.x branches directly - then it should be all set for any future release.
Comment #35
roball CreditAttribution: roball commentedppblaauw has created a 6.x-1.x-temp branch, which contains the 6.x-1.x commits up to the (last working) 6.x-1.0-rc6 release, and the patch directly applied to that, tagged and released as 6.x-1.0-rc8. Looks good to me. Maybe the current 6.x-1.x branch should be renamed to 6.x-2.x and 6.x-1.x-temp to 6.x-1.x, so the fix is actually also in 6.x-1.x. The new features committed to 6.x-1.x years ago could then be developed further as 6.x-2.x (if that ever happens).
Comment #36
nicolasg CreditAttribution: nicolasg commentedThe patch in #9 fails for our case because of ambiguity in the sql statement.
Upgraded to rc8 and ddblocks stopped showing.
The line:
$sql = db_rewrite_sql("SELECT n.nid FROM {node} n WHERE status=1 AND type='%s' AND nid='%s'");
Has ambiguiity in the last WHERE clause.
Error in log:
Column nid in where clause is ambiguous query: SELECT DISTINCT n.nid FROM node n INNER JOIN node_access na ON na.nid = n.nid WHERE (na.grant_view >= 1 AND ((na.gid = 0 AND na.realm = 'all') OR (na.gid = 0 AND na.realm = 'content_access_author') OR (na.gid = 1 AND na.realm = 'content_access_rid'))) AND ( status=1 AND type='home_carousel' AND nid='61') in ****/modules/ddblock-6.x-1.0-rc8/ddblock.module on line 1917.
It should be
$sql = db_rewrite_sql("SELECT n.nid FROM {node} n WHERE status=1 AND type='%s' AND n.nid='%s'");
This could be because of the extra modules were using for access control.
However, if you are going to alias {node} as "n" then you should refer to its child fields by the same alias in the query, thus n.nid