Drupal 5.23

CHANGELOG.txt

@@ -1,7 +1,9 @@
 // $Id$
 
-Drupal 5.23-dev, xxxx-xx-xx
+Drupal 5.23, 2010-08-11
 -----------------------
+- Fixed security issues (File download access bypass, Comment unpublishing
+  bypass), see SA-CORE-2010-002.
 
 Drupal 5.22, 2010-03-03
 -----------------------

modules/comment/comment.module

@@ -575,7 +575,7 @@ function comment_access($op, $comment) {
   global $user;
 
   if ($op == 'edit') {
-    return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0) || user_access('administer comments');
+    return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0 && $comment->status == COMMENT_PUBLISHED) || user_access('administer comments');
   }
 }
 

modules/system/system.module

@@ -6,7 +6,7 @@
  * Configuration system that lets administrators modify the workings of the site.
  */
 
-define('VERSION', '5.23-dev');
+define('VERSION', '5.23');
 
 /**
  * Implementation of hook_help().

modules/upload/upload.module

@@ -259,9 +259,15 @@ function upload_download() {
 }
 
 function upload_file_download($file) {
-  $file = file_create_path($file);
-  $result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $file);
-  if ($file = db_fetch_object($result)) {
+  $filepath = file_create_path($file);
+  $result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $filepath);
+  while ($file = db_fetch_object($result)) {
+    if ($filepath !== $file->filepath) {
+      // Since some database servers sometimes use a case-insensitive
+      // comparison by default, double check that the filename is an exact
+      // match.
+      continue;
+    }
     if (user_access('view uploaded files')) {
       $node = node_load($file->nid);
       if (node_access('view', $node)) {
@@ -271,13 +277,8 @@ function upload_file_download($file) {
           'Content-Length: '. $file->filesize,
         );
       }
-      else {
-        return -1;
-      }
-    }
-    else {
-      return -1;
     }
+    return -1;
   }
 }