Problem/Motivation
Recent security releases have shown that the render system needs to be stricter about what it allow to be called by a callback. See:
- https://www.drupal.org/sa-core-2018-002
- https://www.drupal.org/sa-core-2018-004
- #2860607: Code execution via Twig templates (including inline)
Form list of callbacks to target:
- ✓ #process
- ✓ #after_build
- #value_callback
- #element_validate
- #validate
- #submit
- #date_date_callbacks
- #entity_builders
- #file_value_callbacks
Proposed resolution
Postponed on the render system solution - #2966327: Limit what can be called by a callback in render arrays to reduce the risk of RCE - once we have an agreed solution there we should largely copy it.
- In 10.2.x deprecate the ability to call any function using
call_user_func*()and limit to object implementing FormCallback interface, FormElementInterface or a closure. For objects also limit to specific methods to further narrow the surface area. - Try and provide a PHPCS fix that can auto-update code?
- In 11.0.x remove the ability.
Remaining tasks
- Refactor all the prior refactoring done against 9.2 against 10.1.x using the new attribute.
- Find any additional callbacks added since 9.2 and refactor those.
User interface changes
None
API changes
Yes
Data model changes
None.