Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If a site has the "view uploaded files" permission enabled (which, in a lot of cases is harmless), the regex in _prod_check_anonymous_rights()
triggers, and claims the anonymous users has elevated privileges.
Perhaps this regex should be a little more restrictive (only match the beginnings of permission-strings?), or this one permission-string could be whitelisted?
Comments
Comment #1
malc0mn CreditAttribution: malc0mn commentedThanks for the report! The regex is this one:
Quite silly, but in this case
upload
matchesuploaded
as well. When implementing this one I knew we would come across false positives at some point. How about this:for a fix?
Don't want to go slapping word boundary on all of them just yet...
Comment #2
smokrisOh, the
\b
regex sequence. I always forget about that one. For resolving the "view uploaded files" problem, that sounds good to me.However, I expect there to be other false-positives, especially where permissions include user-generated content — I'm thinking about a case where somebody's built a retail store listing with a field_store_address; content_permissions.module would produce a "view field_store_address" permission, which would trigger on the "add" keyword (though anonymous users should legitimately be able to view store addresses).
I think matching all keywords only on word boundaries might actually be a good solution, since the Drupal permissions convention is to separate English words with spaces, so the regex would still trigger correctly whenever a keyword is a standalone word (I'm not thinking of any counterexamples), but avoid false-positives like this issue and the field_store_address example above.
Comment #3
malc0mn CreditAttribution: malc0mn commentedApplied word boundary to all for D6 & D7, available in next release...
Comment #4
smokrisGreat. Thanks, @malc0mn!