And so it will deny access to files it totally has no business with.

CommentFileSizeAuthor
#1 webform_file_download_is_nonsense.patch1.07 KBchx
webform_file_download_is_nonsense.patch2.45 KBchx
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

chx’s picture

chx CreditAttribution: chx commented
FileSize
webform_file_download_is_nonsense.patch1.07 KB

And so is the patch :D

chx’s picture

chx CreditAttribution: chx commented

Note that #1057252: Webform and private files is not indexable on MySQL, broken elsewhere contains this fix.

quicksketch’s picture

quicksketch
he/him
CreditAttribution: quicksketch commented
Title: webform_file_download query does not check for file » webform_file_download query does not check that file is owned by Webform
Priority: Critical » Major

Finally committed.

quicksketch’s picture

quicksketch
he/him
CreditAttribution: quicksketch commented
Status: Needs review » Fixed
ygerasimov’s picture

ygerasimov CreditAttribution: ygerasimov commented
Status: Fixed » Reviewed & tested by the community

Sorry but I can't see patch #1 committed. Please also be aware that patch is formed based on different path sites/all/modules/webform/webform.module and not module's root.

Manually applying patch solves the issue.

quicksketch’s picture

quicksketch
he/him
CreditAttribution: quicksketch commented
Status: Reviewed & tested by the community » Fixed

I just hadn't pushed yet. It's there now.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.