Change the Standard profile default configuration to not allow anonymous profile photo uploads

Open on Drupal.org →

Created on 31 May 2023, over 1 year ago

Problem/Motivation

By default without intervention:

core/profiles/standard/config/install/field.storage.user.user_picture.yml installs with uri_scheme: public
core/profiles/standard/config/install/user.settings.yml installs with register: visitors_admin_approval

If left unchanged, an anonymous user can register (pending approval) uploading an inappropriate image. The image is then publicly available via that organisation's URL immediately without the user yet being approved. The malicious actor can then document that such an image is available at that URL and use that to potentially blackmail the organisation.

Steps to reproduce

Drupal standard install
Register as an anonymous user filling in the profile image with an inappropriate image
Hover over profile image upload to get file path
Share file path elsewhere

Proposed resolution

Only allow authenticated users to add profile pictures, so it profile image does not appear on the registration form.

Remaining tasks

Update registration form

User interface changes

Profile image no longer available via registration form

API changes

None

Data model changes

None

Release notes snippet

Only authenticated users can upload a profile image by default in the 'Standard' profile default configuration so that anonymous users cannot upload inappropriate images and share them maliciously.

📌 Task

Status

Needs work

Version

11.0 🔥

Component

User module →

Last updated 3 days ago

Maintained by
🇺🇸United States @moshe weitzman
🇧🇪Belgium @kristiaanvandeneynde

Created by

🇬🇧United Kingdom scott_euser

Live updates comments and jobs are added and updated live.

Needs Review Queue Initiative
Used to track the progress of issues reviewed by the Drupal Needs Review Queue Initiative.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Issue created by @scott_euser
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
last update over 1 year ago
29,397 pass, 6 fail
@scott_euser opened merge request.
Status changed to Needs review over 1 year ago5:22am 31 May 2023
Comment over 1 year ago →
🇬🇧United Kingdom scott_euser
The tests for Standard Profile are fairly minimal. Should this be added to the test?
Status changed to Needs work over 1 year ago2:39pm 31 May 2023
Comment over 1 year ago →
🇺🇸United States smustgrave
As a bug it will need a test case.

But if adding a new config file may need an upgrade path, upgrade tests, and change record.
Comment over 1 year ago →
🇬🇧United Kingdom scott_euser
Well its not really a bug, its a change to the default for new installations and should not affect existing sites that are already installed. So I do not think it should actually have an upgrade path. The idea here is that for new sites moving forward, in case the site administrator forgets to configure this, that the default is more protective.

Essentially I discussed this with the security team initially before they suggested I create this as a public issue; larowlan had compared it to https://www.drupal.org/project/drupal/issues/3097468 📌 Deprecate the "Full HTML" text format in Standard and Umami in favor of a "content editor HTML" for content editor roles Active which was also made public.
Comment over 1 year ago →
cilefen
It seems like more of a task.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024