Contrib.social

Variables are incorrectly output in strings causing them to be interpolated as different variables

Open on Drupal.org →
Created on 13 March 2024, 11 months ago
Updated 2 April 2024, 10 months ago

Problem/Motivation

There's various cases in the codebase where a string is created and a variable is interpolated (e.g. "Something like {$foo}" where this happens incorrectly (i.e. "Something like ${$foo}") which causes the contents of the variable to be used as name of a different variable that's then interpolated.

After internal investigation we find that none of the 5 occurrences found provide the ability to leak sensitive data and thus we do not consider this a security issue.

Three times in test code.

  • tests/behat/features/bootstrap/TaggingContext.php
  • tests/behat/features/bootstrap/BookContext.php
  • tests/behat/features/bootstrap/AlbumContext.php

src/Installer/OptionalModuleManager.php which is only run on install and does not use user input.

modules/custom/social_graphql/src/GraphQL/EntityConnection.php which does use user input and was the most likely candidate. However any variables that can be accessed from the particular line of code are deemed to be safe to leak.

Steps to reproduce

Proposed resolution

Fix the string interpolation to use {$variable}

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Fixed

Version

12.1

Component

Code (back-end)

Created by

🇳🇱Netherlands kingdutch

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024