Download & Extend
Private Upload » Issues

Security issue with comment upload / private checkbox

Posted by rpsu on April 22, 2009 at 6:16am
Project:Private Upload
Version:5.x-1.0-rc2
Component:Code
Category:bug report
Priority:critical
Assigned:Unassigned
Status:active

Issue Summary

Using Private Upload 5.x-1.0-rc2 and Comment Upload 5.x-0.1 there is a pretty serious issue: While attaching files into comment user does have "private" checkbox, but it does not have any effect - files do not get protected!

Basically user thinks that checking private-checkbox files are protected, but they are not. Files as just as unprotected as usual node attachments which user does not mark as protected.

There is also a feature request #197591: Add "private" checkbox on Comment Upload attachments to comments, but I'd like to see this issue solved either with just telling user about this or removing checkbox in comment upload (I'll submit this issue also with to Comment upload -module, since I have no idea which one of these two modules should be take care of this).

Login or register to post comments

Comments

#1

Posted by rpsu on April 22, 2009 at 6:23am
Title:Security issua with comment upload / private checkbox» Security issue with comment upload / private checkbox

Issue submitted: #441262: Security issue with Comment Upload + Private Uploads - files NOT protected but user thinks they are

#2

Posted by rpsu on May 7, 2009 at 5:34am

#441262: Security issue with Comment Upload + Private Uploads - files NOT protected but user thinks they are says:

This is an issue for Private Upload. If it can't be fixed there, I'd be responsive to a patch, but I'm not planning to do any work on the 5.x branch beyond patch review.

Does anyone have any idea how to solve this?

nobody click here