security updates of unpatched modules
This commit is contained in:
Bachir Soussi Chiadmi
@@ -664,14 +664,24 @@ function webform_get_submissions($filters = array(), $header = NULL, $pager_coun
|
||||
}
|
||||
|
||||
// Query the required submission data.
|
||||
$query = db_select('webform_submitted_data', 'sd');
|
||||
$query->leftJoin('webform_submissions', 's', 's.sid = sd.sid');
|
||||
$query = db_select('webform_submissions', 's');
|
||||
$query->leftJoin('users', 'u', 'u.uid = s.uid');
|
||||
$query
|
||||
->fields('s')
|
||||
->fields('sd', array('cid', 'no', 'data'))
|
||||
->fields('u', array('name'))
|
||||
->condition('sd.sid', $sids, 'IN')
|
||||
->condition('s.sid', $sids, 'IN');
|
||||
|
||||
$submissions = $query->execute()->fetchAllAssoc('sid');
|
||||
|
||||
foreach ($submissions as $sid => $submission) {
|
||||
$submissions[$sid]->data = array();
|
||||
}
|
||||
|
||||
// Query the required submission data.
|
||||
$query = db_select('webform_submitted_data', 'sd');
|
||||
$query
|
||||
->fields('sd', array('sid', 'cid', 'no', 'data'))
|
||||
->condition('sd.sid', array_keys($submissions), 'IN')
|
||||
->orderBy('sd.sid', 'ASC')
|
||||
->orderBy('sd.cid', 'ASC')
|
||||
->orderBy('sd.no', 'ASC');
|
||||
@@ -682,27 +692,12 @@ function webform_get_submissions($filters = array(), $header = NULL, $pager_coun
|
||||
$query->condition('sd.nid', $filters['nid']);
|
||||
}
|
||||
|
||||
$result = $query->execute();
|
||||
|
||||
// Convert the queried rows into submissions.
|
||||
$previous = 0;
|
||||
foreach ($result as $row) {
|
||||
if ($row->sid != $previous) {
|
||||
$submissions[$row->sid] = new stdClass();
|
||||
$submissions[$row->sid]->sid = $row->sid;
|
||||
$submissions[$row->sid]->nid = $row->nid;
|
||||
$submissions[$row->sid]->submitted = $row->submitted;
|
||||
$submissions[$row->sid]->remote_addr = $row->remote_addr;
|
||||
$submissions[$row->sid]->uid = $row->uid;
|
||||
$submissions[$row->sid]->name = $row->name;
|
||||
$submissions[$row->sid]->is_draft = $row->is_draft;
|
||||
$submissions[$row->sid]->data = array();
|
||||
}
|
||||
// CID may be NULL if this submission does not actually contain any data.
|
||||
if ($row->cid) {
|
||||
if ($submissions) {
|
||||
$result = $query->execute();
|
||||
// Convert the queried rows into submission data.
|
||||
foreach ($result as $row) {
|
||||
$submissions[$row->sid]->data[$row->cid]['value'][$row->no] = $row->data;
|
||||
}
|
||||
$previous = $row->sid;
|
||||
}
|
||||
|
||||
foreach (module_implements('webform_submission_load') as $module) {
|
||||
|
||||
@@ -24,9 +24,9 @@ files[] = tests/permissions.test
|
||||
files[] = tests/submission.test
|
||||
files[] = tests/webform.test
|
||||
|
||||
; Information added by Drupal.org packaging script on 2015-04-02
|
||||
version = "7.x-3.24"
|
||||
; Information added by Drupal.org packaging script on 2016-10-19
|
||||
version = "7.x-3.25"
|
||||
core = "7.x"
|
||||
project = "webform"
|
||||
datestamp = "1427956663"
|
||||
datestamp = "1476870845"
|
||||
|
||||
|
||||
@@ -1042,17 +1042,31 @@ function webform_file_download($uri) {
|
||||
$submission = reset($submissions);
|
||||
}
|
||||
|
||||
// Grant access based on access to the submission.
|
||||
// Grant or deny file access based on access to the submission.
|
||||
if (!empty($submission)) {
|
||||
$node = node_load($submission->nid);
|
||||
if (webform_submission_access($node, $submission)) {
|
||||
return file_get_content_headers($file);
|
||||
}
|
||||
else {
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
// Grant access to files uploaded by a user before the submission is saved.
|
||||
elseif (!empty($file) && !empty($_SESSION['webform_files'][$file->fid])) {
|
||||
return file_get_content_headers($file);
|
||||
}
|
||||
|
||||
// Ensure we never completely ignore a webform file request.
|
||||
if (strpos(file_uri_target($uri), 'webform/') === 0) {
|
||||
// The file is not part of a submission or a submission-in-progress (by
|
||||
// the current user), however it may be part of a submission-in-progress
|
||||
// (or an abandoned submission) by another user. We assume that all files
|
||||
// under our enforced directory prefix are in fact webform files, and so
|
||||
// we deny access to the file. Abandoned uploads will be deleted by
|
||||
// system_cron() in due course.
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user