Contrib.social

Time-zone-abbreviation to TZID route is not access controlled

Open on Drupal.org →
Created on 13 August 2019, about 6 years ago
Updated 23 March 2025, 7 months ago

Problem/Motivation

system.timezone route is accessible to everyone due to requirements check _access: 'TRUE'. Though this route does not return user sensitive data, prevent access to it if the user doesn't need it.

Proposed resolution

Perhaps abuse CSRF tokens?!

Remaining tasks

  • Patch
  • Changelog for any sites using this route not via timezone.es6.js, unlikely?

User interface changes

None.

API changes

Provide documentation/changelog for how to update code to new solution.

🐛 Bug report
Status

Active

Version

11.0 🔥

Component

system.module

Created by

🇦🇺Australia dpi Perth, Australia

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 7 months ago
    🇫🇷France prudloff Lille

    I agree we should try to avoid _access: 'TRUE' but this route does not return anything sensitive so I am not sure why and how we should protect it.

  • Comment 7 months ago
    🇮🇳India Sivaji_Ganesh_Jojodae Chennai

    +1 for @prudloff.

    If you grep there are several routes with _access: 'TRUE' as appropriate.

    grep -rni \_access: core/modules/*/*.routing.yml | grep -i TRUE

    There are several routes 

    core/modules/big_pipe/big_pipe.routing.yml:9:    _access: 'TRUE'
core/modules/filter/filter.routing.yml:7:    _access: 'TRUE'
core/modules/image/image.routing.yml:55:    _access: 'TRUE'
core/modules/system/system.routing.yml:7:    _access: 'TRUE'
core/modules/system/system.routing.yml:15:    _access: 'TRUE'
core/modules/system/system.routing.yml:23:    _access: 'TRUE'
core/modules/system/system.routing.yml:31:    _access: 'TRUE'
core/modules/system/system.routing.yml:342:    _access: 'TRUE'
core/modules/system/system.routing.yml:352:    _access: 'TRUE'
core/modules/system/system.routing.yml:360:    _access: 'TRUE'
core/modules/system/system.routing.yml:400:    _access: 'TRUE'
core/modules/system/system.routing.yml:407:    _access: 'TRUE'
core/modules/system/system.routing.yml:414:    _access: 'TRUE'
core/modules/system/system.routing.yml:421:    _access: 'TRUE'
core/modules/system/system.routing.yml:459:    _access: 'TRUE'
core/modules/system/system.routing.yml:479:    _access: 'TRUE'
core/modules/system/system.routing.yml:489:    _access: 'TRUE'
core/modules/system/system.routing.yml:519:    _access: 'TRUE'
core/modules/system/system.routing.yml:526:    _access: 'TRUE'
core/modules/user/user.routing.yml:138:    _access: 'TRUE'
core/modules/user/user.routing.yml:148:    _access: 'TRUE'
core/modules/user/user.routing.yml:192:    _access: 'TRUE'
core/modules/user/user.routing.yml:233:    _access: 'TRUE'
core/modules/views/views.routing.yml:6:    _access: 'TRUE'
  • Comment 7 months ago
    🇮🇳India Sivaji_Ganesh_Jojodae Chennai
  • Status changed to Closed: outdated about 2 months ago
  • Comment about 2 months ago
    🇺🇸United States smustgrave

    Since there's been no follow up going to close this one out.

  • Comment about 2 months ago
    System Message

    Now that this issue is closed, please review the contribution record.

    As a contributor, attribute any organization helped you, or if you volunteered your own time.

    Maintainers, please credit people who helped resolve this issue.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024