diff options
| author | Dries Buytaert <dries@buytaert.net> | 2009-01-21 14:50:58 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2009-01-21 14:50:58 +0000 |
| commit | 7e2a90629d1e3f1ac444a13e63dd06801e089209 (patch) | |
| tree | 584f8ec74833ae66a9dd9ea06a5f8e00d9076676 | |
| parent | c11454db379944b3d95d92c7ca5d425247165d57 (diff) | |
| download | brdo-7e2a90629d1e3f1ac444a13e63dd06801e089209.tar.gz brdo-7e2a90629d1e3f1ac444a13e63dd06801e089209.tar.bz2 | |
- Patch #278675 by Dave Reid, pwolanin, drewish, robertDouglass: fixed possible SQL injection risk in node_access(). Already part of Drupal 6.
| -rw-r--r-- | modules/node/node.module | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/modules/node/node.module b/modules/node/node.module index 73afd403f..068813f22 100644 --- a/modules/node/node.module +++ b/modules/node/node.module @@ -1201,7 +1201,7 @@ function node_build_content($node, $teaser = FALSE) { // Allow modules to make their own additions to the node. node_invoke_nodeapi($node, 'view', $teaser); - + // Allow modules to modify the structured node. drupal_alter('node_view', $node, $teaser); @@ -2169,7 +2169,9 @@ function node_search_validate($form, &$form_state) { function node_access($op, $node, $account = NULL) { global $user; - if (!$node) { + if (!$node || !in_array($op, array('view', 'update', 'delete', 'create'), TRUE)) { + // If there was no node to check against, or the $op was not one of the + // supported ones, we return access denied. return FALSE; } // Convert the node to an object if necessary: @@ -2384,10 +2386,10 @@ function node_query_node_access_alter(QueryAlterableInterface $query) { if (count($or->conditions())) { $query->condition($or); } - + $query->condition("{$access_alias}.grant_$op", 1, '>='); } - } + } } /** @@ -3019,7 +3021,7 @@ function node_list_permissions($type) { */ function node_elements() { $type['node_links'] = array(); - + return $type; } |