Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 295161

Run filter_xss() over .info values

$
0
0

It should not be possible to execute code placed in a .info file. However, since .info values are often displayed to the user it is possible to execute javascript.

There are situations where this is a little nasty. For example, it is possible to add javascript into a module's .info file that can automatically install the module when the user visits the /admin/build/modules page. A line of .info that could do this:

package = "Bad judgement<script type='text/javascript'>if($('#edit-status-mymodule').attr('checked')!=true){$('#edit-status-mymodule').attr('checked','checked');$('#edit-status-mymodule').parents('form').submit();}</script>"

I've attached a one-liner patch that will cause all .info values to be run through filter_xss(). Please note that this has already been reviewed by the security team and this patch is considered a non-critical hardening.

Edit by greggles: this does not need to be handled as a security bug. If someone can write malicious code to your .info files you are already screwed from a security perspective. This is just a hardening and can be handled publicly.


Viewing all articles
Browse latest Browse all 295161

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>