Commit 095c1796 authored by drumm's avatar drumm

Drupal 5.23

parent 6e0b3afe
// $Id$
Drupal 5.23-dev, xxxx-xx-xx
Drupal 5.23, 2010-08-11
-----------------------
- Fixed security issues (File download access bypass, Comment unpublishing
bypass), see SA-CORE-2010-002.
Drupal 5.22, 2010-03-03
-----------------------
......
......@@ -575,7 +575,7 @@ function comment_access($op, $comment) {
global $user;
if ($op == 'edit') {
return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0) || user_access('administer comments');
return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0 && $comment->status == COMMENT_PUBLISHED) || user_access('administer comments');
}
}
......
......@@ -6,7 +6,7 @@
* Configuration system that lets administrators modify the workings of the site.
*/
define('VERSION', '5.23-dev');
define('VERSION', '5.23');
/**
* Implementation of hook_help().
......
......@@ -259,9 +259,15 @@ function upload_download() {
}
function upload_file_download($file) {
$file = file_create_path($file);
$result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $file);
if ($file = db_fetch_object($result)) {
$filepath = file_create_path($file);
$result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $filepath);
while ($file = db_fetch_object($result)) {
if ($filepath !== $file->filepath) {
// Since some database servers sometimes use a case-insensitive
// comparison by default, double check that the filename is an exact
// match.
continue;
}
if (user_access('view uploaded files')) {
$node = node_load($file->nid);
if (node_access('view', $node)) {
......@@ -271,13 +277,8 @@ function upload_file_download($file) {
'Content-Length: '. $file->filesize,
);
}
else {
return -1;
}
}
else {
return -1;
}
return -1;
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment