Steps to reproduce:
1. Create new forum topic, and mark it as "Published".
2. Edit this forum topic and unpublish it by unchecking the "Published" checkbox.
3. Click save button.
The node is still listed in the topic list, but protected from access.
Comment | File | Size | Author |
---|---|---|---|
#43 | 1302404_easy_diff.txt | 1.25 KB | chx |
#42 | forum-unpublished-d8-1302404-41.patch | 5.22 KB | xjm |
#40 | forum-index-node-access-29-D7-do-not-test.patch | 5.73 KB | webchick |
#37 | forum-topic-unpublished-1302404-37.patch | 4.59 KB | oriol_e9g |
#33 | forum-topic-unpublished-1302404-31.patch | 4.6 KB | penyaskito |
Comments
Comment #1
StevenPatzComment #2
penyaskitoThe node must be removed from
forum_index
once it is marked as unpublished.Comment #3
penyaskitoThe check for
node->status
is unnecessary because the index must be updated, and it is checked later for the other operations, please review the attached patch.Comment #4
penyaskitoThe bug is in D7 too.
Comment #5
penyaskitoPatch backported to d7.
Comment #6
skottler CreditAttribution: skottler commentedThis cleanly applies to both D7 and D8. Looks good to me, marking RTBC.
Comment #7
pillarsdotnet CreditAttribution: pillarsdotnet commentedComment #8
penyaskitoOk, let's try to make some tests.
Comment #9
penyaskitoPatch attached.
Comment #10
penyaskitoThe same patch applies too to 7.x
Comment #11
pillarsdotnet CreditAttribution: pillarsdotnet commentedA nifty trick in such cases is to post two patches, one with tests only, and one with tests plus the fix.
In this way you can demonstrate (via the red/green color combination) that your tests fail before the fix, and pass afterwards.
Comment #12
penyaskitoMakes sense, here it is.
Comment #13
penyaskitoSomething must be wrong if the second one passes...
Comment #14
penyaskitoAnother patch with a test that looks better. Let's see what the testbot thinks.
Comment #15
penyaskitoEdited --DUPLICATED--
Comment #16
penyaskitoPatch that includes the fix for the issue.
Comment #17
penyaskitoFor me is RTBC, unassigning me so it gets reviewed.
Comment #18
penyaskitoAs suggested by chx, added an update path for 7.x sites in 7.x branch.
This needs testing, but depends on #1182296: Add tests for 7.0->7.x upgrade path (random test failures) AFAIU.
Comment #19
penyaskitoUnassign me, waiting for comments.
Comment #20
pillarsdotnet CreditAttribution: pillarsdotnet commentedComment #21
larowlanNeeds refill post /core patch
Comment #22
realityloop#18 doesn't really aply to D8.x
#16 rerolled for /core
Comment #23
penyaskitoRerolled patches for D8 to HEAD.
Comment #25
langelhc CreditAttribution: langelhc commented#23: forum-topic-unpublished-1302404-22.patch queued for re-testing.
Comment #27
edutrul CreditAttribution: edutrul commentedWe have tested the patch #23 and it keeps failing.
@heilop @edusempai
Comment #28
oriol_e9gI have tested this and I can't reproduce this bug in D8-HEAD or D7-dev.
Unpublished forum topics don't appear in the topic list and don't appear in the block list.
More steps to reproduce the bug?
Comment #29
oriol_e9gUntaging
Comment #30
penyaskito@oriol_e9g I reproduced the bug with the given instructions. The problem happens when you unpublish an existing and published post. I'll try to edit the summary to be more explicit.
Comment #31
penyaskitoOk, I was testing the wrong thing: I was testing about the topics count displayed, and that was correct.
I added now another asserts for testing if the topic is or not listed.
The code approach has changed too.
Let's see if the build bot gives some love back.
Comment #32
penyaskitoPer @aspilicious review on IRC:
* one comment exceeds 80 chars and the summary line should be less or equal than 80 chars
Comment #33
penyaskitoFixed those issues, improved wording and Doxygen comments.
Merged two last lines of aux function.
Comment #34
penyaskitoBot!
Comment #35
aspilicious CreditAttribution: aspilicious commentedCode looks ok to me, will leave this to others to see if they can identify possible problems with the approach.
Comment #37
oriol_e9gThe code looks good, same patch but with t() removal in assertions for #500866: [META] remove t() from assert message
Comment #38
oriol_e9gI have tested the code and for my is RTBC.
Comment #39
penyaskitoThis has been considered a vulnerability in D7 and fixed in http://drupal.org/node/1557938, so I think that is not bad increasing priority.
Advisory ID: DRUPAL-SA-CORE-2012-002
Access bypass - forum listing
CVE: CVE-2012-1590
Comment #40
webchickThis was fixed in D7 as part of SA-CORE-2012-002. However, we still need the fix in D8.
Here's the patch from the security team issue tracker (which also needs the small typo fix in #1558402: D8 followup DRUPAL-SA-CORE-2012-002 - Access bypass - forum listing).
Commit credit should include mlhess, coltrane, xjm, and jhodgdon, as well as penyaskito.
I have not yet looked to see how different the committed D7 patch is from the one in this issue.
Comment #41
xjmI'll roll this one. The patches were pretty much the same.
Comment #42
xjmComment #43
chx CreditAttribution: chx commentedI have attached the output of git diff -b over the module to make the change super easy to see.
Comment #44
catchThanks folks. Committed/pushed this one to 8.x.
Comment #45.0
(not verified) CreditAttribution: commentedUpdated issue summary.