Originally reported to the Drupal security team by
@tedbow →
on 9 May 2022 (#176856), which was subsequently considered a case for security hardening and not a vulnerability.
Problem/Motivation
This module has a Update vulnerability.
The Update existing functionality around installing and update functionality
The installing problem where if a site is comprised any unsafe module could be installed via URL has been
publicly documented →
, probably many places.
But there is another problem because module updates are not Composer-aware.
Example security problem:
- A contrib Module X has security update because 1 of it's Composer dependencies has a security update
- The Composer dependency security update only has the security fix and no BC breaks so the Drupal site will still work if the dependency is not updated(though it will be insecure)
- User sees the security update in admin/reports/updates/update
- User updates the Module X via the UI
- The Composer dependency with the security update is not updated because the Update module does not update Composer dependencies
- The user thinks they have fixed the security problem on their site but they have not and will have no indication they have not unless they read the release notes
This is very obvious but I am not sure we have this documented anywhere.
It would actually be a way to mass exploit sites after contrib security update that just updates a dependency for a security updates. For instance if a very popular contrib module with a Composer dependency had a security update for the dependencies security update then an attacker could not only search for sites that have not yet updated they could also search for sites that updated via the Update module.
I am filing this issue because I think the above problem is a good reason to
disable the Update module non-Composer aware updating by default in Drupal 10 →
even before Automatic Updates has a replacement. But I am not sure if I should make that point publically in the issue.
---
Follow-up comments by tedbow:
9 May 2022 at 23:18
There are a lot ways we could address this problem here is my suggestion
- Implentent.
Default `allow_authorize_operations` to false to discourage installing and updating modules in Composer incompatible ways →
. This would mean in Drupal 10 you would have to opt-in to updating and installing modules via the UI in a way that is not Composer compatible
- In the
#$settings['allow_authorize_operations'] comment in settings.php indicate that if you change the default setting you will have to either ensure you are not using any modules with Composer dependencies or do updates that change Composer dependencies via Composer(I am sure this is actual practical to use both)
- Add a warning to the UI that allows updates admin/reports/updates/update(if default is disabling is overridden) that using the form requires you to manually keep Composer dependencies up-to-date. We could only put the message if there are security updates but I think #5 demonstrates it is actually more complicated
- Add link to Available Updates, admin/reports/updates, to documentation about how to update projects. The suggested method would be Composer but we could document how to override $settings['allow_authorize_operations'] and document the problems with dependencies, security and otherwise, this could lead to
Outside of core to make the upgrade to Drupal 10 easier we could also add a check in
Upgrade Status →
to check if contrib projects are present the codebase that are not known to Composer or the version numbers do not match what Composer has. This would likely indicate the site has been using Update module functionality to install and/or update modules. Then we could provide a warning that you should consider using Composer or if you still want use the Update module to update/install you can override $settings['allow_authorize_operations']
Steps to reproduce
Proposed resolution
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Contributors
- tedbow
- DamienMcKenna
- effulgentsia
- dww
- cilefen
- xjm
- catch