From 7e2a90629d1e3f1ac444a13e63dd06801e089209 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Wed, 21 Jan 2009 14:50:58 +0000
Subject: - Patch #278675 by Dave Reid, pwolanin, drewish, robertDouglass:
 fixed possible SQL injection risk in node_access().  Already part of Drupal
 6.

---
 modules/node/node.module | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'modules')

diff --git a/modules/node/node.module b/modules/node/node.module
index 73afd403f..068813f22 100644
--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -1201,7 +1201,7 @@ function node_build_content($node, $teaser = FALSE) {
 
   // Allow modules to make their own additions to the node.
   node_invoke_nodeapi($node, 'view', $teaser);
-  
+
   // Allow modules to modify the structured node.
   drupal_alter('node_view', $node, $teaser);
 
@@ -2169,7 +2169,9 @@ function node_search_validate($form, &$form_state) {
 function node_access($op, $node, $account = NULL) {
   global $user;
 
-  if (!$node) {
+  if (!$node || !in_array($op, array('view', 'update', 'delete', 'create'), TRUE)) {
+    // If there was no node to check against, or the $op was not one of the
+    // supported ones, we return access denied.
     return FALSE;
   }
   // Convert the node to an object if necessary:
@@ -2384,10 +2386,10 @@ function node_query_node_access_alter(QueryAlterableInterface $query) {
       if (count($or->conditions())) {
         $query->condition($or);
       }
-      
+
       $query->condition("{$access_alias}.grant_$op", 1, '>=');
     }
-  } 
+  }
 }
 
 /**
@@ -3019,7 +3021,7 @@ function node_list_permissions($type) {
  */
 function node_elements() {
   $type['node_links'] = array();
-  
+
   return $type;
 }
 
-- 
cgit v1.2.3