Reading through your code, I think I found the fix.

CommentFileSizeAuthor
swfupload.patch1.51 KBinktri

Comments

inktri’s picture

inktri commented
Priority: Normal » Critical
Status: Active » Needs work
whisk’s picture

whisk commented
Status: Needs work » Active

This is good, but to my opinion, the whole idea of "simulating" user session is a fail.
In this case, the session isn't started properly, and all functions called before swfupload session start would act incorrectly (assuming current user is anonymous).
In my opinion, the only way is to use custom session handler and specify 'session_inc' variable. But it requires changing settings.php file, which is not quite convenient. Maybe I'm missing something very obvious?

eugenmayer’s picture

eugenmayer commented
Status: Active » Postponed (maintainer needs more info)

Cant understand the security issue - can you please rephrase and explain the attack vector?

skilip’s picture

skilip commented

This issue has been created 3 yrs ago for 5.x-1.x-dev. I'm not sure this issue still applies.

eugenmayer’s picture

eugenmayer commented

Thats a point :)

skilip’s picture

skilip commented

The Drupal 5 branch will not be longer supported

skilip’s picture

skilip commented
Status: Postponed (maintainer needs more info) » Closed (won't fix)

The Drupal 5 branch will not be longer supported