376689 – <www-apps/drupal-7.7: Access bypass in private file fields on comments.

Bug 376689 - <www-apps/drupal-7.7: Access bypass in private file fields on comments.

Summary: <www-apps/drupal-7.7: Access bypass in private file fields on comments.

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://drupal.org/node/1231510
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-07-28 08:49 UTC by Peter Volkov (RETIRED)
Modified:	2011-08-17 21:09 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Volkov (RETIRED) gentoo-dev

2011-07-28 08:49:24 UTC

Description
Access bypass in private file fields on comments.

Drupal 7 contains two new features: the ability to attach File upload fields to
any entity type in the system and the ability to point individual File upload
fields to the private file directory.

If a Drupal site is using these features on comments, and the parent node is
denied access (either by a node access module or by being unpublished), the
file attached to the comment can still be downloaded by non-privileged users if
they know or guess its direct URL.

This issue affects Drupal 7.x only.
Versions affected

    Drupal 7.x before version 7.5.

Comment 1 Peter Volkov (RETIRED) gentoo-dev

2011-07-28 08:55:06 UTC

7.7 that fixes this issue is in the tree.

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2011-08-17 21:09:47 UTC

Great, thanks, Peter. Closing noglsa for ~arch only package.