From 706ea3e5c4a181892c9635704b2c29680c94a4b3 Mon Sep 17 00:00:00 2001
From: Angie Byron <webchick@24967.no-reply.drupal.org>
Date: Sat, 11 Oct 2008 03:03:59 +0000
Subject: #319341: SA-2008-060 (#318706): Access bypass for files attached to
 restricted nodes.

---
 modules/upload/upload.module | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'modules/upload/upload.module')

diff --git a/modules/upload/upload.module b/modules/upload/upload.module
index 4fceaa6ab..666aa23e9 100644
--- a/modules/upload/upload.module
+++ b/modules/upload/upload.module
@@ -154,15 +154,17 @@ function _upload_file_limits($user) {
  */
 function upload_file_download($filepath) {
   $filepath = file_create_path($filepath);
-  $result = db_query("SELECT f.* FROM {files} f INNER JOIN {upload} u ON f.fid = u.fid WHERE filepath = '%s'", $filepath);
+  $result = db_query("SELECT f.*, u.nid FROM {files} f INNER JOIN {upload} u ON f.fid = u.fid WHERE filepath = '%s'", $filepath);
   if ($file = db_fetch_object($result)) {
-    if (!user_access('view uploaded files')) {
+    if (user_access('view uploaded files') && ($node = node_load($file->nid)) && node_access('view', $node)) {
+      return array(
+        'Content-Type: ' . $file->filemime,
+        'Content-Length: ' . $file->filesize,
+      );
+    }
+    else {
       return -1;
     }
-    return array(
-      'Content-Type: ' . $file->filemime,
-      'Content-Length: ' . $file->filesize,
-    );
   }
 }
 
-- 
cgit v1.2.3