Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.reported by ccode with suggested fix to the security team for 6.x, fix in SA-2008-60 for 6.x with patch by Gabor.
In upload.module, near the top of function upload_node_form_submit(),
there is a line,
if (($user->uid != 1 || user_access('upload files')) && ...
The "!=" should be "==" like this,
if (($user->uid == 1 || user_access('upload files')) && ...
meaning you are the admin or you have access privilege.
Looking into user_access(), you see admin has full access rights. So,
really, the if statement should be,
if (user_access('upload files') && ...
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | upload_bypass-319328.patch | 939 bytes | pwolanin |
Comments
Comment #1
pwolanin commentedhere's the change that was committed to 6.x.
Comment #2
drewish commentedseems like a good thing to have a test for...
Comment #3
pwolanin commentedccode is: http://drupal.org/user/306203
@drewish - sure, but we should get these security patches that went in 6.x into 7.x asap and can revisit the need for new tests. Otherwise they are likely to be forgotten, no longer apply, etc.
Comment #4
Anonymous (not verified) commentedYes, this makes sense to me.
EDIT: Please commit and then set as CNW for the test.
Comment #5
webchickCommitted. Marking CNW for test. ;)
Comment #6
catchMoving around so we know the original patch went in easier.
Comment #7
catchComment #8
grendzy commentedsee #563000: Provide upgrade path to file
Comment #9
grendzy commentedComment #10
webchickWhelp. Guess we don't need this anymore. ;)