$format not handled correctly in node preview
starbow - October 30, 2008 - 23:06
| Project: | Live |
| Version: | 6.x-1.0 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
Description
Currently the nodes Input format is ignored. This issue is in live.node.inc. You pull the $format out of the post, but then in your node_teaser call you use $node->format, which has not been set. Setting $node->format = $format fixes this, but I am not sure why you don't just pull from the post into $node->format.
Also, when you call check_markup, you are using $format before it is set.
#1
I can confirm this, attached is a patch which fixes this.
#2
Fixed in CVS! Thanks!
#3
Automatically closed -- issue fixed for two weeks with no activity.
#4
Please release?
#5
+ $node->format = isset($_POST['format']) ? $_POST['format'] : 1;
+ $node->body = check_markup($body, $node->format);
$node->name = isset($_POST['username']) ? $_POST['username'] : '';
$node->created = isset($_POST['date']) ? strtotime($_POST['date']) : time();
$access = user_access('use live comment preview');
$token = $_POST['token'] != "" ? $_POST['token'] : "";
$skip_anonymous = $user->uid == 0 ? true : false;
- $format = isset($_POST['format']) ? $_POST['format'] : 1;
$token_value = isset($_POST['token_value']) ? $_POST['token_value'] : '';
$valid_token = drupal_valid_token($token, $token_value, $skip_anonymous);
- if (!filter_access($format) || !$access || !$valid_token || !node_access('create', $node) || !node_access('update', $node)) {
+ if (!filter_access($node->format) || !$access || !$valid_token || !node_access('create', $node) || !node_access('update', $node)) {
POOF.
The filter_access check has to be BEFORE using the Input format. With the patch users can run arbitrary formats. What if the PHP filter is enabled for one of those?
#6
Note, while fortunately check_markup does an access check as well (third arg TRUE), arbitrary code execution via CSRF is still possible because check_markup is used before the token check.
#7
Fixed with 6.x-1.1
#8
Well, 6.x-1.2
#9
Automatically closed -- issue fixed for 2 weeks with no activity.