reported by: Giles Kennedy

this code caught my eye:

$sql = "SELECT COUNT(*) FROM {node_access} WHERE (nid = 0 OR nid = %d) $grants_sql AND grant_$op >= 1";

(from http://api.drupal.org/api/function/node_access/6).

$op *should* be one of "view", "update", "create" or "delete" and so *should* be safe ... if a variable is used (e.g. in a custom/contrib module) to pass $op to node_access(), and if that variable is derived from user input, then we are relying on the module to sanitise $op correctly to prevent SQL injection.

it should actually use http://api.drupal.org/api/function/db_escape_table/6 to make sure that the constructed table name is well-formed.

Comments

pwolanin’s picture

Status: Active » Needs review
StatusFileSize
new842 bytes

Trivial patch, but not tested.

pwolanin’s picture

StatusFileSize
new854 bytes

here's the 6.x backport

robertdouglass’s picture

StatusFileSize
new736 bytes

I wonder if we shouldn't somehow validate $op? Perhaps both changes are advisable, but here's another patch to consider. Taking the time to validate $op seems like a better way to handle the issue to me. If we had the concept of error handling in Drupal we'd actually throw an error if $op were not one of the allowed values. I think it's rather critical to not only ensure no SQL injection can occur (like the suggested patch), but that the allowed values actually match the expected columns of the database.

The question remains whether anyone extends the {node_access} table with other grants, in which case this patch is undesirable, but other than that, I prefer it.

pwolanin’s picture

I'd rather not fix the op values - is there anything that says another module can't define another op? I guess new columns would have to be added? But hook_schema_alter is available for just such a reason.

robertdouglass’s picture

Ok, I'm convinced. Best to go with #2 for now.

paul.lovvik’s picture

Status: Needs review » Reviewed & tested by the community

Reviewed both patches (#1 and #2) and verified that they work on their respective branches. Both look good.

catch’s picture

#1 and #2 still apply.

catch’s picture

Status: Reviewed & tested by the community » Needs work

Needs a re-roll for dbtng.

drewish’s picture

Status: Needs work » Needs review
StatusFileSize
new1.11 KB

so here's the minimal DBTNG udpate. looking at the conditionals code I'm not seeing a good way to ensure the order of operations on nested OR and AND operators. i'm not convinced that the conditions framework is expressive enough at this point. maybe we can get this committed then revisit the full query.

i started looking for the unit tests for node_access and it doesn't look like there are any... that's really freaking scary... i'll see if there's an issue for that some place.

drewish’s picture

Crell explained to me how to get the conditions to do what they'd need to do but I'm not going to say we should hold up the patch over it. If i get a chance I'll pick this back up and work on converting it to a full DBTNG dynamic query.

And look at adding some unit tests... eek.

catch’s picture

Status: Needs review » Needs work

This is already in 6.x as of http://drupal.org/node/358957 so needs forward porting from there.

pwolanin’s picture

Title: Column name in node access query is not checked for corr » SA-CORE-2009-001: possible SQL injection risk in node_access()
Priority: Normal » Critical
StatusFileSize
new784 bytes

here's the patch that went into D6

dave reid’s picture

Status: Needs work » Needs review
StatusFileSize
new1.52 KB

Rerolled along with some trivial whitespace changes in node.module picked up by my IDE.

dries’s picture

Status: Needs review » Fixed

Committed to CVS HEAD. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

pwolanin’s picture

tagging