To reproduce:
- Take a page which is denied to anonymous users by node_privacy_byrole
- Go to it as an anonymous user
- Receive 404 error

Note: this bug did not exist in 4.5.x

CommentFileSizeAuthor
#6 27864-node.module-4.6.2_0.patch682 byteswillmoy
#2 27864-node.module-4.6.2.patch682 byteswillmoy
#1 27864-user.module-4.6.2.patch686 byteswillmoy
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

willmoy’s picture

willmoy CreditAttribution: willmoy commented
Title: user.module incorrectly assumes 404 when access denied » node.module incorrectly assumes 404 when access denied
Component: user.module » node.module
FileSize
27864-user.module-4.6.2.patch686 bytes

Tested patch against 4.6.2 branch attached.

willmoy’s picture

willmoy CreditAttribution: willmoy commented
Title: node.module incorrectly assumes 404 when access denied » 4.6.2 node.module incorrectly assumes 404 when access denied
Status: Active » Needs review
FileSize
27864-node.module-4.6.2.patch682 bytes

New patch. Correctly handles both 403s and 404s. Adds an extra query to verify which is happening.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Needs review » Needs work

That code is insecure and may lead to SQL injection attacks.

willmoy’s picture

willmoy CreditAttribution: willmoy commented
Status: Needs work » Needs review

The patch doesn't include enough context to show that the query is subject to a check of is_numeric(arg(1)). I don't think this is vulnerable to SQL injection, but I'd be grateful if someone else would check and I apologise if I'm missing something.

The patched code in context:

case 'view':
      if (is_numeric(arg(1))) {
        $node = node_load(array('nid' => arg(1)), $_GET['revision']);
        if ($node->nid) {
          drupal_set_title(check_plain($node->title));
          print theme('page', node_show($node, arg(2)));
        }
        else if (db_fetch_object(db_query('SELECT nid FROM {node} WHERE nid=%s', arg(1)))) {
          drupal_access_denied();
        }
        else {
          drupal_not_found();
        }
      }
      break;

The cvs version of this patch http://drupal.org/node/27873 has the same context.

killes@www.drop.org’s picture

killes@www.drop.org CreditAttribution: killes@www.drop.org commented

I think the problem is this:
WHERE nid=%s', arg(1)

It should be

WHERE nid = '%s'", arg(1)

if arg(1) were indeed a string, but since it isn't it should be

WHERE nid = %d', arg(1)

willmoy’s picture

willmoy CreditAttribution: willmoy commented
FileSize
27864-node.module-4.6.2_0.patch682 bytes

Thanks very much killes, that was dumb of me.

New patch attached.

Steven’s picture

Steven CreditAttribution: Steven commented
Status: Needs review » Fixed

Committed.

Anonymous’s picture

(not verified) CreditAttribution: commented
Anonymous’s picture

(not verified) CreditAttribution: commented
Anonymous’s picture

(not verified) CreditAttribution: commented
Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)