Contrib.social

Sanitize watchdog() link in dblog_event()

Open on Drupal.org β†’
Created on 27 July 2015, almost 9 years ago
Updated 10 November 2023, 8 months ago

On #2535192: Security: LoggerChannelInterface doxygen needs a little love β†’ , we patched the interface for logging in drupal 8 to add a security note:

+ * SECURITY NOTE: the caller might also set a 'link' in the $context array
+ * which will be printed as-is by the dblog module under an "operations"
+ * header. Usually this is a "view", "edit" or similar relevant link. Make sure
+ * to use proper, secure link generation facilities; some are listed below.
+ *
+ * @see \Drupal\Core\Logger\RfcLoggerTrait
+ * @see \Psr\Log\LoggerInterface
+ * @see \Drupal\Core\Logger\\LoggerChannelFactoryInterface
+ * @see \Drupal\Core\Utility\LinkGeneratorInterface
+ * @see \Drupal\Core\Routing\LinkGeneratorTrait::l()
+ * @see \Drupal\Core\Entity\EntityInterface::link()

We need to add a similar notice here, but just tell people to use the l() function, with its sanitization features, to make links (the list of "secure link generation facilities" in Drupal 7 is only the l() function).

πŸ“Œ Task
Status

Fixed

Version

7.0 ⚰️

Component
Database LoggingΒ  β†’

Last updated about 1 month ago

  • Maintained by
  • πŸ‡¦πŸ‡·Argentina @dagmar
Created by

πŸ‡ΊπŸ‡ΈUnited States jhodgdon Spokane, WA, USA

Live updates comments and jobs are added and updated live.
  • Novice

    It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024