blogapi_mt_set_post_categories() allows assigning arbitrary categories to posts regardless of taxonomy settings
| Project: | Drupal |
| Version: | 7.x-dev |
| Component: | blogapi.module |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
A fix for this went into Drupal 5.x and 6.x as part of SA-2008-60. From original security issue:
Gábor:
The taxonomy vulnerability consists of arbitrary term IDs passing down to taxonomy_node_save(), which does not check, whether you are allowed to assign these kinds of posts these terms or not. Otherwise everybody looks like being able to categorize stuff if taxonomy module is enabled, so the only issue here is going against taxonomy settings, which might not be a security bug after all.
drumm:
Taxonomy will have to be fixed at the blogapi level. The usual node form taxonomy selection is only validated with Form API's standard check on select elements, calling taxonomy_node_validate() does not help. taxonomy_node_save() simply does not have enough information to generate a decent error message. I would say this is a security issue since there are access-related modules based on taxonomy.
#1
this patch contains only an update to the blogapi test. In the absence of the patch to fix the security hole we get: 64 passes, 4 fails, 0 exceptions
#2
this patch is the fix to the blogapi module that went into Drupal 6.5 - with this all blogapi tests pass (68 passes, 0 fails, 0 exceptions).
original version of this patch was by me, with additional review and fixes by Gabor.
#3
Committed, thanks!
#4
Automatically closed -- issue fixed for two weeks with no activity.