a major piece of work I've yet to complete for this module is to review it for security holes and ensure that the access permissions are working as desired.

Comments

spiderman’s picture

Priority: Normal » Critical

will be committing a patch for this later today..

spiderman’s picture

Status: Active » Fixed

considering this fixed as of commit #123086, tho I'm not 100% sure I've done the right thing with the check_plain I added in the _discussthis_set_topic function..

toemaz’s picture

$result = db_query(db_rewrite_sql($sql), check_plain($title));

check_plain is not required here because $title is checked when injected into the query.

spiderman’s picture

ah, sweet- thanks for the tip! i kinda thought i was being overzealous, but didn't want to be underzealous, anyway ;)

i'll remove that line in a subsequent commit, and consider this issue closed. fortunately, the module doesn't really do anything much with user input, so it's relatively easy to keep things secure.

Anonymous’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.