Contrib.social

Stored XSS via release links on update pages

Open on Drupal.org β†’
Created on 12 April 2024, 10 months ago
Updated 16 July 2024, 7 months ago

Problem/Motivation

This was originally reported to the security team who decided it could be public

Steps to reproduce

The XML file for release updates contains release link URLs
These are displayed in the available updates report without sanitation.
If the XML endpoint was compromised this could trigger an XSS attack

Proposed resolution

Validate the URLs before output.

Affected file:

/automatic_updates/src/Form/UpdaterForm.php
Affected code:
'#context' => [
   'release_version' => $release->getVersion(),
   'release_link' => $release->getReleaseUrl(),
   'project_title' => $this->t('Release notes for @project_title @version',[
        '@project_title' => 'Drupal core',
        '@version' => $release->getVersion(),
    ]),
    'release_notes' => $this->t('Release notes'),
],

So the fix is likely to apply \Drupal\Component\Utility\UrlHelper::stripDangerousProtocols() to the link

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

πŸ› Bug report
Status

Needs work

Version

11.0 πŸ”₯

Component
UpdateΒ  β†’

Last updated 11 days ago

  • Maintained by
  • πŸ‡ΊπŸ‡ΈUnited States @tedbow
  • πŸ‡ΊπŸ‡ΈUnited States @dww
Created by

πŸ‡¦πŸ‡ΊAustralia larowlan πŸ‡¦πŸ‡ΊπŸ.au GMT+10

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024