summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeil Drumm2010-08-11 20:37:49 +0000
committerNeil Drumm2010-08-11 20:37:49 +0000
commit095c1796e3980c50c9e6b51e077c4877a54bd76f (patch)
treea0e6e80e598031b8b722df188f9b6d052f7fa59a
parent6e0b3afec581b58afb9a335b6faf0aca7cd0af4e (diff)
Drupal 5.235.23
-rw-r--r--CHANGELOG.txt4
-rw-r--r--modules/comment/comment.module2
-rw-r--r--modules/system/system.module2
-rw-r--r--modules/upload/upload.module19
4 files changed, 15 insertions, 12 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 4c1a345..de2af3c 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,9 @@
// $Id$
-Drupal 5.23-dev, xxxx-xx-xx
+Drupal 5.23, 2010-08-11
-----------------------
+- Fixed security issues (File download access bypass, Comment unpublishing
+ bypass), see SA-CORE-2010-002.
Drupal 5.22, 2010-03-03
-----------------------
diff --git a/modules/comment/comment.module b/modules/comment/comment.module
index 19233a5..0cd19a0 100644
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -575,7 +575,7 @@ function comment_access($op, $comment) {
global $user;
if ($op == 'edit') {
- return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0) || user_access('administer comments');
+ return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0 && $comment->status == COMMENT_PUBLISHED) || user_access('administer comments');
}
}
diff --git a/modules/system/system.module b/modules/system/system.module
index 2026c91..70ccbc8 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -6,7 +6,7 @@
* Configuration system that lets administrators modify the workings of the site.
*/
-define('VERSION', '5.23-dev');
+define('VERSION', '5.23');
/**
* Implementation of hook_help().
diff --git a/modules/upload/upload.module b/modules/upload/upload.module
index eeb7ce9..d7b6521 100644
--- a/modules/upload/upload.module
+++ b/modules/upload/upload.module
@@ -259,9 +259,15 @@ function upload_download() {
}
function upload_file_download($file) {
- $file = file_create_path($file);
- $result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $file);
- if ($file = db_fetch_object($result)) {
+ $filepath = file_create_path($file);
+ $result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $filepath);
+ while ($file = db_fetch_object($result)) {
+ if ($filepath !== $file->filepath) {
+ // Since some database servers sometimes use a case-insensitive
+ // comparison by default, double check that the filename is an exact
+ // match.
+ continue;
+ }
if (user_access('view uploaded files')) {
$node = node_load($file->nid);
if (node_access('view', $node)) {
@@ -271,13 +277,8 @@ function upload_file_download($file) {
'Content-Length: '. $file->filesize,
);
}
- else {
- return -1;
- }
- }
- else {
- return -1;
}
+ return -1;
}
}