Home » Download » Modules » Private Upload » Issues

Security issue with comment upload / private checkbox

rpsu - April 22, 2009 - 06:16
Project:Private Upload
Version:5.x-1.0-rc2
Component:Code
Category:bug report
Priority:critical
Assigned:Unassigned
Status:active
Description

Using Private Upload 5.x-1.0-rc2 and Comment Upload 5.x-0.1 there is a pretty serious issue: While attaching files into comment user does have "private" checkbox, but it does not have any effect - files do not get protected!

Basically user thinks that checking private-checkbox files are protected, but they are not. Files as just as unprotected as usual node attachments which user does not mark as protected.

There is also a feature request #197591: Add "private" checkbox on Comment Upload attachments to comments, but I'd like to see this issue solved either with just telling user about this or removing checkbox in comment upload (I'll submit this issue also with to Comment upload -module, since I have no idea which one of these two modules should be take care of this).

» Login or register to post comments

#1

rpsu - April 22, 2009 - 06:23
Title:Security issua with comment upload / private checkbox» Security issue with comment upload / private checkbox

Issue submitted: #441262: Security issue with Comment Upload + Private Uploads - files NOT protected but user thinks they are

Login or register to post comments

#2

rpsu - May 7, 2009 - 05:34

#441262: Security issue with Comment Upload + Private Uploads - files NOT protected but user thinks they are says:

This is an issue for Private Upload. If it can't be fixed there, I'd be responsive to a patch, but I'm not planning to do any work on the 5.x branch beyond patch review.

Does anyone have any idea how to solve this?

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.