[meta] Audit the event subscriber system for security

Created on 16 October 2014, over 10 years ago
Updated 3 July 2025, about 18 hours ago

Problem/Motivation

There have been numerous issues reported in relation to the event subscriber system.

While event subscribers are a great and standard industry pattern, event subscribers are not a good thing to base your security model upon.

This meta will track child issues related to security in the event subscriber realm.

Proposed resolution

- Audit the event subscriber system
- Track child issues here

Remaining tasks

- Add child issues already existing
- Audit more of the event subscriber system

User interface changes

- to be seen

API changes

- to be seen

📌 Task
Status

Postponed: needs info

Version

11.0 🔥

Component

base system

Created by

🇩🇪Germany Fabianx

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • stale-issue-cleanup

    To track issues in the developing policy for closing stale issues, [Policy, no patch] closing older issues

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇺🇸United States smustgrave

    Thank you for creating this issue to improve Drupal.

    We are working to decide if this task is still relevant to a currently supported version of Drupal. There hasn't been any discussion here for over 8 years which suggests that this has either been implemented or is no longer relevant. Your thoughts on this will allow a decision to be made.

    Since we need more information to move forward with this issue, the status is now Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

    Thanks!

Production build 0.71.5 2024