If user protects a node and hits preview then leaves the page the module won't clean up completely after itself, because the entered_password session variable isn't cleared in this scenario.

Comments

quicksketch’s picture

Version: 5.x-1.2 » 6.x-1.5

Wow, this is a pretty terrible problem. It could also happen in the situation where a piece of content is previewed or saved (or even when the "Delete" button is clicked) and then you later go and modify a *completely* different node through admin/content/node or Views Bulk Operations. You very well could accidentally changes passwords on a ton of nodes all at once.

The use of $_SESSION is completely unnecessary and should be removed entirely.

jadwigo’s picture

It seems to work without the $_SESSION['_protected_node']['entered_password']

AlexisWilke’s picture

Title: Session [entered password] can be poisoned » Session [entered password] can be poisoned (remove heavy use of the $_SESSION variable)

Making a note here, mainly. I'm not too sure I understand what you mean by "poisoned," but I'll look into how to remove all those $_SESSION. I think that the only one "necessary" is the one that representing a cookie so we know that a user entered the password. All the others are probably not necessary.

Thank you.
Alexis

AlexisWilke’s picture

Assigned: mtolmacs » AlexisWilke
Status: Active » Fixed

Alright, all $_SESSION's are gone except the one to mark that a password was entered (since we need to attach that to each specific user.)

Let me know if you like this version better.

Thank you.
Alexis Wilke

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.