Download & Extend
Live » Issues

$format not handled correctly in node preview

Posted by starbow on October 30, 2008 at 11:06pm
Project:Live
Version:6.x-1.0
Component:Code
Category:bug report
Priority:critical
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

Currently the nodes Input format is ignored. This issue is in live.node.inc. You pull the $format out of the post, but then in your node_teaser call you use $node->format, which has not been set. Setting $node->format = $format fixes this, but I am not sure why you don't just pull from the post into $node->format.

Also, when you call check_markup, you are using $format before it is set.

Login or register to post comments

Comments

#1

Posted by swentel on November 10, 2008 at 11:50am

I can confirm this, attached is a patch which fixes this.

AttachmentSize
328355.patch 1.4 KB

#2

Posted by Gurpartap Singh on November 10, 2008 at 1:13pm
Status:needs review» fixed

Fixed in CVS! Thanks!

#3

Posted by System Message on November 24, 2008 at 1:22pm
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

#4

Posted by Flying Drupalist on December 6, 2008 at 2:37am

Please release?

#5

Posted by Heine on July 29, 2009 at 7:24pm
Status:closed (fixed)» needs work

+  $node->format = isset($_POST['format']) ? $_POST['format'] : 1;
+  $node->body = check_markup($body, $node->format);
   $node->name = isset($_POST['username']) ? $_POST['username'] : '';
   $node->created = isset($_POST['date']) ? strtotime($_POST['date']) : time();

   $access = user_access('use live comment preview');
   $token = $_POST['token'] != "" ? $_POST['token'] : "";
   $skip_anonymous = $user->uid == 0 ? true : false;
-  $format = isset($_POST['format']) ? $_POST['format'] : 1;
   $token_value = isset($_POST['token_value']) ? $_POST['token_value'] : '';
   $valid_token = drupal_valid_token($token, $token_value, $skip_anonymous);

-  if (!filter_access($format) || !$access || !$valid_token || !node_access('create', $node) || !node_access('update', $node)) {
+  if (!filter_access($node->format) || !$access || !$valid_token || !node_access('create', $node) || !node_access('update', $node)) {

POOF.

The filter_access check has to be BEFORE using the Input format. With the patch users can run arbitrary formats. What if the PHP filter is enabled for one of those?

#6

Posted by Heine on July 29, 2009 at 7:35pm

Note, while fortunately check_markup does an access check as well (third arg TRUE), arbitrary code execution via CSRF is still possible because check_markup is used before the token check.

#7

Posted by Heine on July 29, 2009 at 9:35pm
Status:needs work» fixed

Fixed with 6.x-1.1

#8

Posted by Heine on July 29, 2009 at 9:44pm

Well, 6.x-1.2

#9

Posted by System Message on August 12, 2009 at 9:50pm
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.