4.6.2 node.module incorrectly assumes 404 when access denied [#27864]

Comment	File	Size	Author
#6	27864-node.module-4.6.2_0.patch	682 bytes	willmoy
#2	27864-node.module-4.6.2.patch	682 bytes	willmoy
#1	27864-user.module-4.6.2.patch	686 bytes	willmoy

Comment #1

willmoy commented 30 July 2005 at 20:23

Title:	user.module incorrectly assumes 404 when access denied	» node.module incorrectly assumes 404 when access denied
Component:	user.module	» node.module

Status	File	Size
new	27864-user.module-4.6.2.patch	686 bytes

Tested patch against 4.6.2 branch attached.

Log in or register to post comments

Comment #2

willmoy commented 31 July 2005 at 01:01

Title:	node.module incorrectly assumes 404 when access denied	» 4.6.2 node.module incorrectly assumes 404 when access denied
Status:	Active	» Needs review

Status	File	Size
new	27864-node.module-4.6.2.patch	682 bytes

New patch. Correctly handles both 403s and 404s. Adds an extra query to verify which is happening.

Log in or register to post comments

Comment #3

dries commented 31 July 2005 at 10:18

Status:

Needs review

» Needs work

That code is insecure and may lead to SQL injection attacks.

Log in or register to post comments

Comment #4

willmoy commented 31 July 2005 at 19:09

Status:

Needs work

» Needs review

The patch doesn't include enough context to show that the query is subject to a check of is_numeric(arg(1)). I don't think this is vulnerable to SQL injection, but I'd be grateful if someone else would check and I apologise if I'm missing something.

The patched code in context:

case 'view':
      if (is_numeric(arg(1))) {
        $node = node_load(array('nid' => arg(1)), $_GET['revision']);
        if ($node->nid) {
          drupal_set_title(check_plain($node->title));
          print theme('page', node_show($node, arg(2)));
        }
        else if (db_fetch_object(db_query('SELECT nid FROM {node} WHERE nid=%s', arg(1)))) {
          drupal_access_denied();
        }
        else {
          drupal_not_found();
        }
      }
      break;

The cvs version of this patch http://drupal.org/node/27873 has the same context.

Log in or register to post comments

Comment #5

killes@www.drop.org commented 31 July 2005 at 19:42

I think the problem is this:
WHERE nid=%s', arg(1)

It should be

WHERE nid = '%s'", arg(1)

if arg(1) were indeed a string, but since it isn't it should be

WHERE nid = %d', arg(1)

Log in or register to post comments

Comment #6

willmoy commented 31 July 2005 at 20:06

Status	File	Size
new	27864-node.module-4.6.2_0.patch	682 bytes

Thanks very much killes, that was dumb of me.

New patch attached.

Log in or register to post comments

Comment #7

Steven commented 5 August 2005 at 00:38

Status:

Needs review

» Fixed

Committed.

Log in or register to post comments

Comment #8

(not verified) commented 19 August 2005 at 00:48

Log in or register to post comments

Comment #9

(not verified) commented 2 September 2005 at 00:51

Log in or register to post comments

Comment #10

(not verified) commented 16 September 2005 at 01:22

Log in or register to post comments

Comment #11

(not verified) commented 30 September 2005 at 06:10

Status:

Fixed

» Closed (fixed)

Log in or register to post comments

4.6.2 node.module incorrectly assumes 404 when access denied

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

News items

Our community

Documentation

Drupal code base

Governance of community