In the Drupal 6 version, the check against Node Access was dropped in the implementation of hook_file_download.
That's a problem. Provided a user can 'view uploaded files' (has that permission), he can download any file attached to any node, including the files attached to nodes that are unpublished or to which he has no 'view' access, provided of course that he has the links to these files.

D6 and D7 patches were from Damien Tournoud. The D6 version went into 6.4 as part of the security patch.

however, slightly different fixes proposed at: http://drupal.org/node/247095

CommentFileSizeAuthor
#1 upload_file_download-319341-1.patch1.34 KBpwolanin

Comments

pwolanin’s picture

pwolanin commented
Status: Active » Needs review
StatusFileSize
new upload_file_download-319341-1.patch1.34 KB

here's the 6.4 diff for upload module:
http://cvs.drupal.org/viewvc.py/drupal/drupal/modules/upload/upload.modu...

attached patch syncs 7.x with 6.x for function upload_file_download($filepath)

pwolanin’s picture

pwolanin commented

however:

The way that the node_access('view', $node)-check was added to upload_file_download broke a feature that previously was possible using the {upload}-table: to have the same file attached to multiple nodes. The bug only appears if these nodes are under different access control, and probabily only if the {upload}-table has been modified by another mdule than Upload module itself.

see: http://drupal.org/node/295586

maybe that should continue to be a feature request after the basic security hole is patched.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Needs review » Fixed

Committed. Thanks!

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.