Posted by pwolanin on October 10, 2008 at 12:54am
| Project: | Drupal core |
| Version: | 7.x-dev |
| Component: | upload.module |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
In the Drupal 6 version, the check against Node Access was dropped in the implementation of hook_file_download.
That's a problem. Provided a user can 'view uploaded files' (has that permission), he can download any file attached to any node, including the files attached to nodes that are unpublished or to which he has no 'view' access, provided of course that he has the links to these files.
D6 and D7 patches were from Damien Tournoud. The D6 version went into 6.4 as part of the security patch.
however, slightly different fixes proposed at: http://drupal.org/node/247095
Comments
#1
here's the 6.4 diff for upload module:
http://cvs.drupal.org/viewvc.py/drupal/drupal/modules/upload/upload.modu...
attached patch syncs 7.x with 6.x for function upload_file_download($filepath)
#2
however:
see: http://drupal.org/node/295586
maybe that should continue to be a feature request after the basic security hole is patched.
#3
Committed. Thanks!
#4
Automatically closed -- issue fixed for two weeks with no activity.