Posted by hass on August 4, 2009 at 7:12pm
2 followers
Jump to:
| Project: | Drupal core |
| Version: | 6.x-dev |
| Component: | system.module |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs review |
Issue Summary
As a reference to http://drupal.org/node/532178#comment-1887114 it may be possible that core have a bug. I'm not sure if core supports single quotes and special chars in permission names as I thought core only support English permission names.
If the below statement is executed and the $renamed_permission contains a permission like access homebox Ma page d'accueil the statement fails:
<?php
$ret[] = update_sql("UPDATE {permission} SET perm = '$renamed_permission' WHERE rid = $role->rid");
?>So my questions are:
1. Do we support translated permission names? I think not.
2. Do we support special chars and single quotes? No idea
If 2 is supported we need to change the line of code. Can someone approve what the proposed solution should be?
Patch attached to change to db_query().
| Attachment | Size | Status | Test result | Operations |
|---|---|---|---|---|
| core_system_update_6034_may_fail.patch | 829 bytes | Ignored | None | None |
Comments
#1
#2
Well, we assume permission names are English, but do not require that per say. (We also assume function names are in English and module names are in English, etc). Also, we assume permission names will not have single quotes in them. Best would be to fix the module which uses this permission.
#3
For me it looks a bit like sql code injection... On one side the module does not filter correctly on the other side core is indirectly attackable... May be better to fix the module and core with the above patch?!?
#4
@Gabor: See http://drupal.org/node/532178#comment-1997864 how many more modules may have created such permissions...