- Issue created by @solideogloria
This module has a Regular expression Denial of Service issue.
This was first reported as a security issue, and it was decided to make it public, since it requires admin permissions.
You can see this issue by:
'administer site configuration+administer software updates' permission (or whatever permission is required if using Drupal 7 instead) navigate to /admin/config/development/maintenanceThe problematic code is in _readonlymode_form_list_check(), in both D7 and D8+.
function _readonlymode_form_list_check($form_id, array $list) {
$l = preg_split('/(\r\n|\n|\r)/', $list);
foreach ($l as $word) {
// Skip empty words.
if (empty($word)) {
continue;
}
$word = str_replace('*', '.*', $word);
if (preg_match('/^' . $word . '$/', $form_id) === 1) {
return TRUE;
}
}
return FALSE;
}
The code should be changed to work more like \Drupal\Core\Path\PathMatcher::matchPath, which escapes regex characters, then performs replacement for asterisks and joins the result into a regex. The function could also similarly make use of replacing newlines with a logical 'or', to avoid having a for loop.
Active
2.0
Code
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.