- Issue created by @hargobind
- Status changed to Needs review
10 months ago 11:15pm 23 August 2023 - last update
10 months ago Patch Failed to Apply - πΊπΈUnited States hargobind Austin, Texas
Attaching a patch with this one-line change.
- last update
10 months ago Patch Failed to Apply - πΊπΈUnited States hargobind Austin, Texas
Accidentally included the ['user_list'] in the previous patch.
- πΊπΈUnited States laryn
Content Access is specifically mentioned in the security advisory for ACL 1.4: https://www.drupal.org/sa-contrib-2023-034 β
I maintain the Backdrop version and what I've done there is along the lines of what ACL has done in switching from using `serialize` to `json_encode` -- so it requires an update hook to convert any Content Access settings saved in the database from serialization to json_encoding, as well.
Here's the relevant commit: https://github.com/backdrop-contrib/content_access/commit/4a45c548414df6...
Would you consider expanding this issue and patch to include that sort of change for security hardening?
- πΊπΈUnited States hargobind Austin, Texas
Ultimately that decision rests with the module maintainers. But this seems like a sensible change to me.
It would maintain a bit of feature parity as far as how data is encoded for ACL and content_access.
It's also safer from a security standpoint since serialize()/unserialize() is prone to remote code execution vulnerabilities.
@laryn would you like to contribute your patch or do you want me to?
- π³π΄Norway gisle Norway
I am the module maintainer, and I intend to upgrade as soon as there is a RTBC patch.
- Status changed to Needs work
10 months ago 7:28am 24 August 2023 - πΈπ°Slovakia gresko8
I'm attaching my attempt at porting a patch from commit mentioned in comment #4.
- Status changed to Needs review
10 months ago 12:44pm 24 August 2023 - last update
10 months ago 7 pass - πΊπΈUnited States laryn
Thanks @gresko8! The patch looks good and applies cleanly.
@hargobind, are you able to do some testing on your sites?
- πͺπͺEstonia mikkmiggur
I think that issue priority should be higher because without that patch access page is broken for every single node.
#8 patch seems to fix that issue. -
gresko8 β
authored 1f433582 on 7.x-1.x
Issue #3383002 by gresko8, mikkmiggur, laryn, hargobind, gisle: Convert...
-
gresko8 β
authored 1f433582 on 7.x-1.x
- Status changed to Fixed
10 months ago 12:20pm 30 August 2023 - π³π΄Norway gisle Norway
Patch in comment #8 committed.
Proceeding to create a new release 7.x-1.3. - Status changed to Fixed
10 months ago 7:57am 11 September 2023 - Status changed to Fixed
10 months ago 8:24am 11 September 2023 - π³π΄Norway gisle Norway
Please don't set status "Closed (fixed)" manually. An issue with the status "Fixed" will be automatically closed as fixed and removed from the list of open issues after 14 days. It should remain open for 14 days after being "Fixed" to cater for regressions and other unintended consequences of the fix.
For reference, please see item #11 on the list of things not to do in issues on this page: Issue Etiquette β .
Automatically closed - issue fixed for 2 weeks with no activity.