diff options
| author | David Rothstein <drothstein@gmail.com> | 2013-01-16 16:56:53 -0500 |
|---|---|---|
| committer | David Rothstein <drothstein@gmail.com> | 2013-01-16 16:56:53 -0500 |
| commit | ca55fc249ca2edba301ba426579376c94f4258f4 (patch) | |
| tree | f1a695a5c37e85f4d186e60bcb070f1636233f88 /modules | |
| parent | a03edeb357816e1fa68586e1fef5be0d8f5257c3 (diff) | |
| parent | 1d4604da252f0e6e19339957ec214388f61b908d (diff) | |
| download | brdo-ca55fc249ca2edba301ba426579376c94f4258f4.tar.gz brdo-ca55fc249ca2edba301ba426579376c94f4258f4.tar.bz2 | |
Merge branch '7.18-security' into 7.x
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/book/book.pages.inc | 9 | ||||
| -rw-r--r-- | modules/book/book.test | 7 | ||||
| -rw-r--r-- | modules/image/image.module | 3 |
3 files changed, 18 insertions, 1 deletions
diff --git a/modules/book/book.pages.inc b/modules/book/book.pages.inc index 19f61158c..e5a04c5a2 100644 --- a/modules/book/book.pages.inc +++ b/modules/book/book.pages.inc @@ -45,6 +45,15 @@ function book_render() { * @see book_menu() */ function book_export($type, $nid) { + // Check that the node exists and that the current user has access to it. + $node = node_load($nid); + if (!$node) { + return MENU_NOT_FOUND; + } + if (!node_access('view', $node)) { + return MENU_ACCESS_DENIED; + } + $type = drupal_strtolower($type); $export_function = 'book_export_' . $type; diff --git a/modules/book/book.test b/modules/book/book.test index 71dc6fe61..81f4524ac 100644 --- a/modules/book/book.test +++ b/modules/book/book.test @@ -289,6 +289,13 @@ class BookTestCase extends DrupalWebTestCase { // Try getting the URL directly, and verify it fails. $this->drupalGet('book/export/html/' . $this->book->nid); $this->assertResponse('403', 'Anonymous user properly forbidden.'); + + // Now grant anonymous users permission to view the printer-friendly + // version and verify that node access restrictions still prevent them from + // seeing it. + user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array('access printer-friendly version')); + $this->drupalGet('book/export/html/' . $this->book->nid); + $this->assertResponse('403', 'Anonymous user properly forbidden from seeing the printer-friendly version when denied by node access.'); } /** diff --git a/modules/image/image.module b/modules/image/image.module index ff50452d5..07f489233 100644 --- a/modules/image/image.module +++ b/modules/image/image.module @@ -292,7 +292,8 @@ function image_file_download($uri) { if ($info = image_get_info($uri)) { // Check the permissions of the original to grant access to this image. $headers = module_invoke_all('file_download', $original_uri); - if (!in_array(-1, $headers)) { + // Confirm there's at least one module granting access and none denying access. + if (!empty($headers) && !in_array(-1, $headers)) { return array( // Send headers describing the image's size, and MIME-type... 'Content-Type' => $info['mime_type'], |