Contrib.social

Entity reference autocomplete cause the user data leak

Open on Drupal.org β†’
Created on 16 July 2020, over 4 years ago
Updated 23 May 2024, 6 months ago

There are a lot of places using autocomplete in D8

However, the API link can be accessed by anonymous if the anonymous user gains access to a session-specific token that controls access to the path.

The link "http://example.com/entity_reference_autocomplete/user/default/CrN62RqYSSdGvgjDF088tS3iRbsxUD9MzUEvAterBOo?q=t"

will show all the users start with "t".

✨ Feature request
Status

Active

Version

11.0 πŸ”₯

Component
EntityΒ  β†’

Last updated about 18 hours ago

Created by

πŸ‡ΉπŸ‡ΌTaiwan cobenash Taipei

Live updates comments and jobs are added and updated live.
  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    Updating issue summary to reflect my understanding of the issue from discussion here and on a private issue.

    I believe the token is only present in responses to users with access to the path.

  • Comment 12 months ago β†’
    πŸ‡·πŸ‡΄Romania CatalinMatea

    I encountered the same issue and I found that system module has that route _access on true which means it can be access in any circumstances, same story for session token route

  • Comment 6 months ago β†’
    πŸ‡³πŸ‡±Netherlands Drumanuel

    Why not set this under system.entity_autocomplete 

      requirements:
    _access: 'TRUE'

    to something only available for logged in users?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024