Contrib.social

Remove drupal_valid_ua() time protection

Open on Drupal.org →
Created on 26 August 2016, almost 9 years ago
Updated 18 April 2024, about 1 year ago

Problem/Motivation

I looked at the code and from my understanding a replay attack scenario has quite some requirements:

1. Simpletest must have been used on a production site.
2. An attacker got into possession of a test HTTP request that the site has sent locally to itself during testing. Which is not possible for a remote attacker, so they must have access to the server already to capture requests.
3. Simpletest did not shut down correctly and failed to clean up the test directory. It has to leave a settings.php file and .htkey behind in the file system.
4. The attacker finds a weakness to break out of the child test site and get access to the database of the main site. I can't think of a way to accomplish that, but would be very curious to see creative attempts :-)

Given that at least 2. makes an attack not practical I think the timestamp check is redundant and can be removed.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

📌 Task
Status

Closed: outdated

Version

11.0 🔥

Component
PHPUnit 

Last updated 7 minutes ago

Created by

🇩🇪Germany dawehner

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 1 year ago
    🇳🇿New Zealand quietone

    The only reference git finds for "drupal_valid_ua" is in a comment and then that was removed. Therefor, I am closing this as outdated.

    git log -Sdrupal_valid_ua
commit b72fe50a60a5bd12c713f04ec4ce02500ba123a5
Author: catch <catch@35733.no-reply.drupal.org>
Date:   Tue Nov 3 11:45:09 2020 +0000

    Issue #3151118 by alexpott, Beakerboy, kapilkumar0324, anmolgoyal74, jungle, heddn, Mile23, andypost, daffie: Include bootstrap.inc using composer

commit 5f3b66ed0d0a6065fd83373919b33c2677368082
Author: Nathaniel Catchpole <catch@35733.no-reply.drupal.org>
Date:   Mon Sep 25 13:07:02 2017 +0100

    Issue #2728579 by Mile23, neclimdul, Munavijayalakshmi, klausi, dawehner: Explicitly skip @requires module in PHPUnit Kernel and Browser tests
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024