(int) typecast in User::hasPermission() is dangerous

Created on 23 November 2024, 5 months ago

This issue was discussed by the Drupal Security Team, and their decision was that this can be solved in a public issue.

Problem/Motivation

@samuel.mortenson noticed this:

User::hasPermission() starts with:

 public function hasPermission($permission) {
    // User #1 has all privileges.
    if ((int) $this->id() === 1) {
      return TRUE;
    }

Note the typecast. If the user ID is some unexpected non-integer value like TRUE or '1e0' or '1. Add a typecast 2. ??? 3. Profit', this could sometimes result in the user being granted all permissions.

The typecast does not exist in Drupal 7; it was introduced in #1966334-54: Convert user_access to User::hasPermission() → without any specific explanation.

Proposed resolution

Get rid of the typecast.

Maybe there are cases where the user ID is '1' as a string from a form submission, so for BC we could check for either '1' or 1.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

📌 Task

Status

Active

Version

8.9 ⚰️

Component

user.module

Created by

🇪🇪Estonia ram4nd Tallinn

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Merge Requests

!10300(int) typecast in User::hasPermission() is dangerous
Open
🇪🇪Estonia ram4nd
updated 5 months ago

Comments & Activities

Issue created by @ram4nd
Merge request !10300Issue #3489337: (int) typecast in User::hasPermission() is dangerous → (Open) created by ram4nd
Comment 5 months ago →
🇪🇪Estonia ram4nd Tallinn
I am thinking that it would be correct to validate int only. But the patch is to check string and int, at this point we probably don't want to introduce new possible problems.
Comment 5 months ago →
cilefen
Drupal 8 is no longer supported on drupal.org and that function looks significantly different in supported releases. Can you check on the 11.x branch and re-evaluate the bug?
Status changed to Closed: outdated 2 months ago9:40pm 23 February 2025
Comment 2 months ago →
🇳🇿New Zealand quietone
There has been no further discussion here. And @cilefen, has described the next actions here. So, I am closing this.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024