Versions: drupal-6.11, Atom 6.x-1.1, and modr8 6.x-1.1

A node in the moderation queue (modr8) has been found in an atom feed.

This is a serious issue for a moderated web site!

CommentFileSizeAuthor
#10 458034-atom-dbrewritesql-D6.patch3.88 KBdave reid

Comments

deekayen’s picture

deekayen commented
Project: Atom » modr8
Version: 6.x-1.1 » 6.x-1.x-dev

I don't use modr8, but a quick grep of the code appears to show that it doesn't use hook_node_grants(), which is how atom would know to not show the node.

pwolanin’s picture

pwolanin commented

This module does not provide access control - it uses db_rewrite_sql to exclude moderated nodes from (most) listings.

jean-bernard.addor’s picture

jean-bernard.addor commented
Title: Not yet moderated node found in atom feed! » Not yet moderated node found in atom feed! (modr8 or atom issue?)

My point is :

Using moderation (modr8) the node in moderation do not appear in RSS feeds but in Atom feeds, it is unexpected and a serious issue from my point of view. I do not understand the technical points, but maybe this issue should come back to Atom. Then I installed the atom module, I thought it was a rewrite of the rss code adapted to another protocol. Now I have the impression they work pretty differently. I am asking me why atom feeds do not behave like drupal internal rss feeds?

pwolanin’s picture

pwolanin commented
Project: modr8 » Atom

This would suggest the bug is in the Atom module - e.g. that it's not correctly calling db_rewrite_sql()

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

This is a security issue. Reporting to security team...

pwolanin’s picture

pwolanin commented

Yep db_rewrite_sql is only applied for taxonomy, not for anything else:

/**
 * Produces an atom 1.0 feed for the front page content.
 */
function atom_feed() {
  ...
  $nodes = db_query_range("SELECT n.nid FROM {node} n WHERE n.promote = '1' AND n.status = '1' ORDER BY n.created DESC", 0, variable_get('atom_feed_entries', 15));

  ...
}

function atom_blog_feed() {
  ...
  $nodes = db_query_range("SELECT n.nid FROM {node} n WHERE n.type = 'blog' AND n.status = '1' ORDER BY n.created DESC", 0, variable_get('atom_feed_entries', 15));

  ...
}

function atom_node_feed($nid) {
  ...
  $nodes = db_query_range("SELECT n.nid FROM {node} n WHERE n.nid = %d AND n.status = '1' ORDER BY n.created DESC", $nid, 0, 1);

  ...
}

function atom_user_blog_feed($uid) {
  ...

  $nodes = db_query_range("SELECT n.nid FROM {node} n WHERE n.type = 'blog' AND n.uid = %d AND n.status = '1' ORDER BY n.created DESC", $uid, 0, variable_get('atom_feed_entries', 15));
  ...
}
dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

It is interesting to note that the results of the queries are run through node_load() and then checked through node_access('view', $node) so it's not like it didn't try. I'm wondering why this wouldn't catch nodes restricted with modr8 because sometimes I use the same logic with one of my modules.

function _atom_print_feed($nodes, $feed_info) {
  $output = '';
  $last_mod = 0;
  while ($node = db_fetch_object($nodes)) {
    $item = node_load(array('nid' => $node->nid));
    if (!node_access('view', $item)) {
      continue;
    }
  ...
}
dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

Republishing this issue because the module does run all the proper access checks. Although it should be using db_rewrite_sql() on all those queries.

pwolanin’s picture

pwolanin commented

Note modr8 is not a node access module - it just hides nodes from listings using SQL rewrites.

The technique used by this module is adding the overhead of a lot of extra queries also - it should just let node access, etc, work via rewriting the queries like core does:

http://api.drupal.org/api/function/node_feed/6

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
Status: Active » Needs review
StatusFileSize
new 458034-atom-dbrewritesql-D6.patch3.88 KB

Patch attached for review.

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
Title: Not yet moderated node found in atom feed! (modr8 or atom issue?) » Use db_rewrite_sql instead of checking node_access() on each node
dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

Changing title to be more appropriate

deekayen’s picture

deekayen commented
Title: Use db_rewrite_sql instead of checking node_access() on each node » Not yet moderated node found in atom feed! (modr8 or atom issue?)
Status: Needs review » Closed (duplicate)

I know there's lots of discussion here, but it originated at #61791: Not Respecting Node Access, so I'd prefer to move there so all the other subscribers can follow the change.