I've seen several issues like this in the queue (i.e. #723558: Content Access & Freelinking), all closed for one reason or another. Yet the problem remains in the 7.x-3.x branch. When a user puts [[node title]] into the body of a node, it generates a link to that node even if the user is denied access. This gives a hacker a way to learn that a node exists that they would otherwise not know.

A fix might be to rewrite freelinking_nid_callback() to use a db_select() with addTag('node_access'). I haven't gotten so far as to test that. I wanted to ask here first and confirm that such a fix might get into the module. Thanks.

CommentFileSizeAuthor
#1 freelinking_node_access.diff1.9 KBDave Cohen

Comments

Dave Cohen’s picture

Status: Active » Needs review
StatusFileSize
new1.9 KB

I believe the attached patch is working for my test case.

greggles’s picture

FWIW, this is not really possible to do "right" because text bodies are cached so the result of the node access call will be cached from one user and then used again for a second user who may have different permissions.

gisle’s picture

Version: 7.x-3.x-dev » 7.x-3.3
Issue summary: View changes
Status: Needs review » Fixed

This is fixed in the 7.x-3.3 and 6.x-3.3 releases by turning off caching if the site uses some sort of access control.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.