- First commit to issue fork.
Drupal 7.x has a vulnerability similar to the two recently fixed in Guzzle:
https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9
drupal_http_request() automatically follows 3xx redirects. RFC 9110 states:
When automatically following a redirected request, the user agent SHOULD resend the original request message with the following modifications:
3. Consider removing header fields that were not automatically generated by the implementation (i.e., those present in the request because they were added by the calling context) where there are security implications; this includes but is not limited to Authorization and Cookie.
See https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx
This issue has been discussed with the security team, and it has been decided that this can be handled as a security hardening issue in the public issue queue.
Fixed
7.0 β°οΈ
Last updated
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.