Cron CSRF vulnerability
Note: this issue has been reviewed by the Drupal security team and it was decided that this can be handled as public security improvement.Problem/MotivationIn Drupal 7 and 8 cron is vulnerable to CSRF...
View ArticleD7 drupal_array_get_nested_value() array_key_exists() micro-optimization
Problem/Motivationisset() is fast but doesn't take in account NULL values, we can use it ahead of an array_key_exists() check to glean some of it's speed but PHP's short circuit...
View Article[D7] Deleting node type leaves orphan nodes
D7 backport of #232327: Deleting node type leaves orphan nodesThe steps required to reproduce the bug are:Create node of content type XDelete the content type XGo to node/n/edit where n is the id of...
View Article[D7] Support X-Forwarded-* HTTP headers alternates
backport of #313145: Support X-Forwarded-* HTTP headers alternates When the trusted proxies are set and reverse_proxy is enabled, Symfony will automatically pickup the default X-Forwarded-* headers....
View Article[D7 backport] drupal_mkdir does not set permissions to directories it created...
Follow-up to #1068266: drupal_mkdir does not set permissions to directories it created recursively Problem/MotivationPHP mkdir() does not set file permissions as expected when we create directories...
View ArticleReverting to revisions prior to addition of field translations is broken
Problem/Motivationfield_sql_storage_field_storage_write() does a DELETE ... INSERT.The DELETE is restricted by field language: // Delete languages present in the incoming $entity->$field_name. //...
View ArticleNever use aggregation in maintenance mode.
When we are in ANY maintenance mode, we do not want to allow aggregation.When the database is down and the site is in error maintenance mode, the error pages would be attempting to do aggregation...
View ArticleFiles should be uploaded to per year/month directories by default
Problem/MotivationDrupal will upload files into one directory by default. Users can affect this by changing configuration of file/image fields, but real-world experience shows that they don't....
View Article[D7] SQL layer: $match_operator is vulnerable to injection attack
Problem/MotivationBackport #2492967: SQL layer: $match_operator is vulnerable to injection attack to D7.Proposed resolutionPlease see #2492967: SQL layer: $match_operator is vulnerable to injection...
View ArticleCrypt::randomBytes()/drupal_random_bytes() doesn't actually return...
Problem/MotivationDrupal prefers openssl_random_pseudo_bytes() if available in Crypt::randomBytes() in 8.0.x or drupal_random_bytes() in 7.x and 6.x.PHP used the wrong method in the openssl library now...
View ArticleBroken images displayed and PHP notices when file/image field values are missing
if a node has a populated image field (which does not have a default image specified) with a file that fails to load then the default image formatter will try to display a broken image.on display *...
View ArticleOptimize node access query building
Updated: Comment #153Problem/MotivationDrupal's current method of determining whether a specified user has access to a node is reported to have significant performance issues on a site using node...
View Article[D7] Enable error logging to log a backtrace string
Follow-up to #2638140: Error logging should log a backtrace consistentlyProblem/MotivationSoftware has bugs, so errors are there and will be logged. Sadly by default Drupal just puts the line of the...
View ArticleElement::children sort order undefined and slower than it could be - this...
Problem/Motivation#2448765: Element::children sort order undefined and slower than it could be - This makes tests fail in PHP7 needs backporting to Drupal 7.Proposed resolutionRemaining tasksUser...
View ArticleQuickStart and Install commands don't enforce min (or max) PHP versions
Problem/MotivationUncovered at #3156651: Prevent Drupal 8.9 and 9.0 from being installed on PHP 8 install.php has code to check the minimum PHP version and bail extremely early if you're on too old a...
View ArticleUpdate 'username' theme template to use 'view label'...
Problem/MotivationUsernames are somewhat important, especially for brute force attacks. Although the Drupal security team does not consider exposure of usernames a weakness, we should still make a best...
View Articleincompatible with version 7.x-3.x-dev
Problem/MotivationRequires: Entity API (enabled), Views (>=3.12) (incompatible with version 7.x-3.x-dev), Chaos tools (enabled)After manual installation of VBO, it shows the above information..... I...
View ArticleMeeting of the Bug Smash Initiative 2020-10-27
Agenda itemsStanding itemsWho is hereAny other suggested topicsWins / Thanks / BlockersStatistics and functionality update. X new bugs created in last two weeks. Y closed by the initiative.The bug I...
View ArticleSingle item configuration export form config_name does not have "-...
Problem/MotivationVisit: /admin/config/development/configuration/single/exportEnsure that the Configuration type is Simple configuration, change it to this value if not.The first option in...
View ArticleMeeting of the Bug Smash Initiative 2020-11-03
Agenda itemsStanding itemsWho is hereAny other suggested topicsWins / Thanks / BlockersStatistics and functionality update. X new bugs created in last two weeks. Y closed by the initiative.The bug I...
View Article