Add cookie value checks

Created on 29 April 2022, about 2 years ago

Updated 2 June 2024, 26 days ago

Problem/Motivation

The LegalLogin form does not perform any checks on the values retrieved from cookies. If the cookie values get tampered with this can cause a fatal PHP error.

Steps to reproduce

Setup the module and log in with a user who's required to accept legal terms. When viewing the terms, go to the inspector and find the cookie values. Edit the Drupal.visitor.legal_id value to be a non-existing user ID integer. Submit the form and notice the PHP error.

Proposed resolution

Add some more checks to exit gracefully if the cookie value is not a valid ID.

Remaining tasks

n/a

User interface changes

n/a

API changes

n/a

Data model changes

n/a

📌 Task

Status

Fixed

Version

3.0

Component

Code

Created by

🇸🇮Slovenia alecsmrekar

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment about 2 months ago →
🇩🇪Germany Anybody Porta Westfalica
Comment about 2 months ago →
🇩🇪Germany Anybody Porta Westfalica
@alecsmrekar could you reroll this against 3.0.x as MR perhaps?
Comment about 1 month ago →
🇬🇧United Kingdom Robert Castelo
Why do we need to "exit gracefully" if someone tampers with the cookie value?
Status changed to Fixed about 1 month ago9:15pm 19 May 2024
Comment about 1 month ago →
🇬🇧United Kingdom Robert Castelo
Added in https://www.drupal.org/project/legal/issues/3376194 📌 Make user ID validation logic more defensive Fixed .
Comment 26 days ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024