- πΊπΈUnited States smustgrave
This came up as a daily BSI target but see it's already been tagged.
Appears to still be valid, from what I can tell.
- First commit to issue fork.
In
#2966327: Limit what can be called by a callback in render arrays to reduce the risk of RCE β
we added TrustedCallbackInterface to protect against arbitrary user-supplied callbacks
However ManagedFile element has #file_value_callbacks which can execute arbitrary functions
Alter a managed file element add a #file_value_callbacks property e.g
$form['some_field']['widget'][0]['value']['#file_value_callbacks'] = ['die'];
Use the same trusted callback interface (\Drupal\Core\Render\Renderer::doCallback) that is used elsewhere.
Active
11.0 π₯
file system
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
This came up as a daily BSI target but see it's already been tagged.
Appears to still be valid, from what I can tell.