upload_file_download() Blocks Access to Files Upload Doesn't Own
quicksketch - February 8, 2009 - 22:22
| Project: | Drupal |
| Version: | 7.x-dev |
| Component: | upload.module |
| Category: | bug report |
| Priority: | normal |
| Assigned: | quicksketch |
| Status: | duplicate |
Jump to:
Description
We just can't seem to get this right. I've opened a new issue separate from #247095: Upload.module hard-codes 'view uploaded files' permission check, since that one has had its changes applied back to Drupal 6 and this problem is specific to Drupal 7's upload.module.
Currently we have a single IF statement to check if the $file was found. If the file is not found in the upload database table, upload module denies access to the file (essentially upload.module is again blocking access to all files it doesn't control).
This patch makes it so that upload.module only checks permissions on files it owns.
| Attachment | Size | Status | Test result | Operations |
|---|---|---|---|---|
| upload_file_download.patch | 1.12 KB | Idle | Passed: 9597 passes, 0 fails, 0 exceptions | View details | Re-test |
#1
Upload module was working properly for only a short time. This bug was re-introduced in #352236: Finish moving upload.module to DB:TNG.
#2
#3
good call, now that user.module has user pictures as files it should be easy to add a user picture and then try a private download of that and make sure upload module aint up in it's business.
#4
Sorry I didn't realize you'd uploaded basically an identical patch in #247095: Upload.module hard-codes 'view uploaded files' permission check. I'll mark this as a duplicate and we can review in the other thread (which now has a patch for both fixing this problem and adding tests).