Contrib.social

Provide a method for systems administrators to globally disable eval'ing user-submitted php code

Open on Drupal.org →
Created on 6 August 2012, about 12 years ago
Updated 4 April 2024, 6 months ago

Problem/Motivation

In some high-security drupal environments, systems administrators do not like any users, even trusted users, from being able to submit arbitrary PHP code for evaluation. A typical environment where this would be a concern would be one where there is not system-level separation of Drupal sites, but users are allowed to login as user 1 to these sites. Custom code and contrib modules can be audited ahead of time, but there is no good mechanism to validate that user-submitted PHP code is not malicious.

Drupal core provides the php module to centralize the ability to disable PHP evaluation. Disabling this module from being enabled is easy to do using several methods. However, contrib modules do not adhere to a central method of allowing this functionality, and systems administrators that do not wish to allow user-submitted PHP (from even uid 1) are left with a limited set of modules to choose from.

Proposed resolution

To provide a system-wide method of disabling custom PHP from being eval'd multiple steps need to occur

  1. A central method of allowing/disallowing arbitrary PHP evaluation needs to be agreed to
  2. Contrib modules allowing arbitrary eval() need to be patched to check for this central setting

Views uses a novel approach where it looks for the core PHP filter permission being set before allowing a user to submit PHP. This essentially reduces the sysadmin's job to figuring out a method of disallowing a single module from being enabled. However, the behavior is somewhat counter-intuitive since the real PHP filter isn't being used.

Many other modules, however, do not use this paradigm and it is left up to the sysadmin to disable each method individually. A possible method would be to create a setting in settings.php that contrib modules can key off to do disable their PHP eval functionality if the setting is found.

Remaining tasks

  1. Discuss if this modification is warranted
  2. Agree on approach
  3. Implement approach
Feature request
Status

Closed: works as designed

Version

1.0

Component

Code

Created by

🇺🇸United States joelcollinsdc

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 6 months ago
    🇭🇺Hungary Gábor Hojtsy Hungary

    Now that this is a contributed project, sites can remove it from their codebase. I think the issue dates back to being a core module.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024