[Imc-drupal-dev] security patch for comment_moderation
Bartolomeo
bartolomeo at indymedia.org
Wed Mar 4 17:47:20 PST 2009
Hello,
there was a big security hole in comment_moderation. The comment body was
displayed without calling the filter function:
http://api.drupal.org/api/function/check_markup/6.
You can find a patched version here:
http://linksunten.indymedia.org/system/files/comment_moderation.linksunten.09_05_03.tar_.gz
The module is the fruit of our political discussions. We wanted:
- well-fortified transparency (comment_revisions), so we added stashing
(deleting) of comment revisions
- different levels of censorship (offtopic = comment_moderation, hide =
hidden, censor = flag, delete = flag)
- flexibility (comment_mover)
Unfortunately, there is a bug in Drupal core that breaks JavaScript if
(1) the URL contains a fragment (e.g. #comment-123)
(2) the webpage contains a table
A patch can be found here: http://drupal.org/node/325810#comment-1239653
We'd like to thank you all for your encouraging comments. We have written a
tech article about Indymedia linksunten on Drupal 6.9 in German:
http://linksunten.indymedia.org/de/node/438
We translated the article into (bad) English and we'll release it after we
have found some native speaker who helps us translating it into (good)
English... ;-)
Ciao, Bart
ps. comment_moderation also includes the missing flag action "publish
comment". We should really create a patch for http://drupal.org/project/flag
--
http://keys.indymedia.org/cgi-bin/lookup?op=get&search=0237D46E
eMail: bartolomeo at indymedia.org + Jabber: bartolomeo at jabber.org
More information about the Imc-drupal-dev
mailing list