Forward-port non-security-parts of SA-CORE-2014-003 file access bypass fixes to Drupal 8

Open on Drupal.org →

Created on 30 March 2015, over 10 years ago

Updated 7 May 2025, 4 months ago

The security fixes for the file bypass access issues in SA-CORE-2014-003 → wound up being very different between Drupal 7 and Drupal 8.

In Drupal 7, there was:

The original security fix, http://cgit.drupalcode.org/drupal/commit/?id=83b80acad8431fcd56e9a331ba0... (see the file-related changes from that commit)
The followup fix to address a non-security-related regression, http://cgit.drupalcode.org/drupal/commit/?id=b90a53201d7c3ce0dc3a240d537... (see #2305017: Regression: Files or images attached to certain core and non-core entities are lost when the entity is edited and saved → )

In Drupal 8, there was:

http://cgit.drupalcode.org/drupal/commit/?id=8f3f79ad34fcdc6db7b5bbb34f0... (see #2304969: Port private files access bypass from SA-CORE-2014-003 → )

Security-wise they both work and Drupal 8 does not appear to have any functional regressions either but there are a couple things from the various Drupal 7 commits that would be good to add to Drupal 8:

Something comparable to file_download_access(), which looks like a useful API function to me for Drupal 8 too.
The tests that were added in http://cgit.drupalcode.org/drupal/commit/?id=b90a53201d7c3ce0dc3a240d537... (although the regression was never present in Drupal 8, it still would probably be good to have the tests).

📌 Task

Status

Postponed: needs info

Version

11.0 🔥

Component

file system

Created by

🇺🇸United States David_Rothstein

Live updates comments and jobs are added and updated live.

stale-issue-cleanup
To track issues in the developing policy for closing stale issues, [Policy, no patch] closing older issues

Incomplete comments

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 4 months ago →
🇺🇸United States smustgrave
Thank you for creating this issue to improve Drupal.

We are working to decide if this task is still relevant to a currently supported version of Drupal. There hasn't been any discussion here for over 8 years which suggests that this has either been implemented or is no longer relevant. Your thoughts on this will allow a decision to be made.

Since we need more information to move forward with this issue, the status is now Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.
Comment 15 days ago →
🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
As far as I can see D11 does not have direct equivalent of file_download_access().

However it does work the same way in that \Drupal\system\FileDownloadController::download counts any headers returned by invoking file_download, and denies access if there are none.

I'd defer to the file system maintainers as to whether they'd like to add a wrapper around that count like D7's file_download_access(). That'd be @kimpepper and @mohit_aghera ( https://git.drupalcode.org/project/drupal/-/blob/11.x/core/MAINTAINERS.t... ).

I'll look at the tests next.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024