Contrib.social

[meta] Patch to remove plupload library examples folder for Drupal distribution

Open on Drupal.org β†’
Created on 31 January 2013, about 12 years ago
Updated 23 July 2023, over 1 year ago

Refer to #1895328: Security exploit in plupload external library examples folder β†’ , we should remove examples folder in plupload library in order to avoid security risk as stated in PSA-2011-02.

In order to include plupload module into Drupal distribution, e.g. DruStack, we need a patch file for drush make so can remove examples folder by patching the library.

This issue should be considered Fixed due to the recommended patch not being one that can be applied to the repo. If a search has lead you here there is a plupload.make.example file in the module. This should be applied to your local make file and applied thus (assuming your .make file is called build.make);
drush make --no-core --libraries=plupload build.make

✨ Feature request
Status

Needs review

Version

1.0

Component

Miscellaneous

Created by

πŸ‡­πŸ‡°Hong Kong hswong3i

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago β†’
    πŸ‡ͺπŸ‡ΈSpain orodicio

    Patch from #31 works for us with Plupload 2.3.6 in Drupal 9.5.4.

  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States thejimbirch Cape Cod, Massachusetts

    Thanks for the patches! I struggled to understand the process, so I am adding a workflow document in hopes of helping others.

    Remove security vulnerability in Plupload examples folder

    The Drupal Plupload module requires the moxiecode/plupload library. This library contains an examples folder that has a security vulnerability that can be exploited.

    This vulnerability can be confirmed on Pantheon using their status check in the dashboard.

    Removing the folder

    This issue contains patches against the different versions of the Plupload library, not the module. There are different patches for the different versions of the Plupload library (again, not the Drupal module).

    The tricky bit is that you are patching the library, which is a dependency of the Drupal module, not the module itself. (should I say it one more time? =)

    In your composer.json file, you can add the following under the patches section:

        "moxiecode/plupload": {
        "Patch to remove plupload library examples folder - https://www.drupal.org/node/1903850": "https://www.drupal.org/files/issues/plupload-2_1_9-rm_examples-1903850-27.patch"
    }

    After that, run composer update moxiecode/plupload and verify the patch has been applied.

    If you are using Pantheon, after you deploy, run the Status check in the dashboard to verify the folder has been removed.

  • Comment over 1 year ago β†’
    πŸ‡ͺπŸ‡ΈSpain budalokko Girona

    The vulnerability was fixed upstream two years ago:

    - https://github.com/moxiecode/plupload/releases/tag/v2.3.7
    - https://github.com/moxiecode/plupload/issues/1536

    We won't change our procedures for d7 at this point, but wondering what the users of this patch think about just requiring a version >=2.3.7 for the Drupal 8+ version of the module.

    This is the fix. Secure enough under my view:

    https://github.com/moxiecode/plupload/commit/ad2c48793bc989800a9d1f53e09...

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024