Resolve SA-CONTRIB-2024-003 in 2.x branch

Open on Drupal.org →

Created on 24 January 2024, 5 months ago

Updated 8 February 2024, 5 months ago

Problem/Motivation

The fix for SA-CONTRIB-2024-003 → was not included into the 2.x release.

The 2.x-alpha2 release is currently identified as do not use due to existing vulnerabilities being worked on.

Steps to reproduce

N/A

Proposed resolution

Modify getLoginDefinitions() and getValidationDefinitions() to have an $active_only parameter. Adjust calling code if necessary.

Remaining tasks

Wait 2 weeks per the DST Timeline policy before beginning discussion as resolving requires discussing the intricacies of the vulnerability.
Create Patch.

User interface changes

Disabled plugins will not be available to end users.

API changes

Internal Only classes

Data model changes

None expected.

🐛 Bug report

Status

Active

Version

2.0

Component

Code

Created by

🇺🇸United States cmlara

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @cmlara
Comment 5 months ago →
🇦🇺Australia acbramley
Status changed to Active 5 months ago4:26am 8 February 2024
Comment 5 months ago →
🇺🇸United States cmlara
2 week patch window reached, this is now open for work.

While the 8.x-1.x branch focused on filtering plugins where they were called, in 2.x the current plan is to modify getLoginDefinitions() and getValidationDefinitions() to have an $active_only parameter similar to getLoginDefinitions, see #3319595: Login plugins are always applied even when not enabled → .

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024