Hi guys,

It is hard for me to tell whether someone otherwise unauthorized could see the wrong results, but it looks like it could happen if that someone did not submit anything but anonymous users are authorized to submit. Then that someone may end up seeing all the anonymous results.

The following is a snippet of the code that shows a first test (1st line shown) that defines a given entry in the query.

Later, you do the "same" test, only it is not the same code, to know whether you should provide the corresponding parameter.

  [...]
  if ($pager_count && !empty($sids)) {
    $query .= ' AND s.sid IN (%s)';
  }

  if ($uid) {
    $query .= ' AND u.uid = %d';
  }

  if (is_array($header)) {
    $query .= tablesort_sql($header);
    if (!isset($header[0]['sort'])) {
      $query .= ', sid ASC';
    }
    $query .= ', cid ASC, no ASC';
  }
  else {
    $query .= ' ORDER BY sid ASC, cid ASC, no ASC';
  }

  $res = $pager_count ? db_query($query, $nid, $sids, $uid) : db_query($query, $nid, $uid);
  [...]

This means you will be passing $sids instead of $uid resulting in u.uid = 0 instead of the intended u.uid = $uid.

For version 3.x, I hope you did consider using an array of parameters instead of such tricks!

I'm attaching the fix (see patch.)

Thank you.
Alexis

CommentFileSizeAuthor
webform-2.9-wrong_test-6.x.patch522 bytesAlexisWilke

Comments

quicksketch’s picture

quicksketch
he/him
commented
Version: 6.x-2.9 » 6.x-2.10
Status: Needs review » Closed (won't fix)

This issue has been fixed in 3.x. No further updates are being released for 2.x.