As a reference to http://drupal.org/node/532178#comment-1887114 it may be possible that core have a bug. I'm not sure if core supports single quotes and special chars in permission names as I thought core only support English permission names.
If the below statement is executed and the $renamed_permission contains a permission like access homebox Ma page d'accueil the statement fails:
$ret[] = update_sql("UPDATE {permission} SET perm = '$renamed_permission' WHERE rid = $role->rid");
So my questions are:
1. Do we support translated permission names? I think not.
2. Do we support special chars and single quotes? No idea
If 2 is supported we need to change the line of code. Can someone approve what the proposed solution should be?
Patch attached to change to db_query().
| Comment | File | Size | Author |
|---|---|---|---|
| core_system_update_6034_may_fail.patch | 829 bytes | hass |
Comments
Comment #1
hass commentedComment #2
gábor hojtsyWell, we assume permission names are English, but do not require that per say. (We also assume function names are in English and module names are in English, etc). Also, we assume permission names will not have single quotes in them. Best would be to fix the module which uses this permission.
Comment #3
hass commentedFor me it looks a bit like sql code injection... On one side the module does not filter correctly on the other side core is indirectly attackable... May be better to fix the module and core with the above patch?!?
Comment #4
hass commented@Gabor: See http://drupal.org/node/532178#comment-1997864 how many more modules may have created such permissions...
Comment #5
Anonymous (not verified) commentedI'm going to guess this is a won't fix for D6, since D6 commits focus on security fixes at this point.