Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
openomega_preprocess_region caches the result of calling menu_tree_output, basing the cache key solely on the language. This means that if menu items have access controls based on anything other than language, incorrect output can occur.
The particular example which affected me is that I created a custom page with role-based access (courtesy of ctools). A race condition then ensues. If the first person to load a page after clearing cache has the role, everyone sees the menu item whether or not they have it. If the first person to load a page doesn't have the role, no-one sees it.
Proposed resolution
As a workaround, removing the calls to cache_get and cache_set from template.php suffices.
A more involved fix might attempt to replace the i18n_menu_localize_tree invocation with a hook into _menu_link_translate, pushing all of the responsibility for caching into menu.inc.
Comments
Comment #1
hefox CreditAttribution: hefox commentedMoving to security issue queue
Comment #2
hefox CreditAttribution: hefox commentedThis went out fixed today as a security issue via https://drupal.org/node/2070039
As a reminder, please report security/access bypass issues to the security team via the "Report a security issue" link.
Thanks