Merge branch '7.4-security' into 7.x

2011-07-27 13:19:38 -07:00 · 2011-07-27 13:19:38 -07:00 · 1f124bf1ac
parent bdc2373eab eabb023933
commit 1f124bf1ac
4 changed files with 21 additions and 3 deletions
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -1,6 +1,7 @@

-Drupal 7.5-dev, xxxx-xx-xx (development version)
+Drupal 7.5, 2011-07-27
 ----------------------
+- Fixed security issue (Access bypass), see SA-CORE-2011-003.

 Drupal 7.4, 2011-06-29
 ----------------------
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@ -8,7 +8,7 @@
 /**
 * The current system version.
 */
-define('VERSION', '7.5-dev');
+define('VERSION', '7.5');

 /**
 * Core API compatibility.
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@ -2688,6 +2688,10 @@ function comment_rdf_mapping() {
 */
 function comment_file_download_access($field, $entity_type, $entity) {
  if ($entity_type == 'comment') {
-    return user_access('access comments') && $entity->status == COMMENT_PUBLISHED || user_access('administer comments');
+    if (user_access('access comments') && $entity->status == COMMENT_PUBLISHED || user_access('administer comments')) {
+      $node = node_load($entity->nid);
+      return node_access('view', $node);
+    }
+    return FALSE;
  }
 }
--- a/modules/file/tests/file.test
+++ b/modules/file/tests/file.test
@ -540,6 +540,7 @@ class FileFieldWidgetTestCase extends FileFieldTestCase {
      'title' => $this->randomName(),
    );
    $this->drupalPost('node/add/article', $edit, t('Save'));
+    $node = $this->drupalGetNodeByTitle($edit['title']);

    // Add a comment with a file.
    $text_file = $this->getTestFile('text');
@ -569,6 +570,18 @@ class FileFieldWidgetTestCase extends FileFieldTestCase {
    $this->drupalLogout();
    $this->drupalGet(file_create_url($comment_file->uri));
    $this->assertResponse(403, t('Confirmed that access is denied for the file without the needed permission.'));
+
+    // Unpublishes node.
+    $this->drupalLogin($this->admin_user);
+    $edit = array(
+      'status' => FALSE,
+    );
+    $this->drupalPost('node/' . $node->nid . '/edit', $edit, t('Save'));
+
+    // Ensures normal user can no longer download the file.
+    $this->drupalLogin($user);
+    $this->drupalGet(file_create_url($comment_file->uri));
+    $this->assertResponse(403, t('Confirmed that access is denied for the file without the needed permission.'));
  }

 }