Contrib.social

[D7] Content with no text format can have its text format silently set to something else

Open on Drupal.org →
Created on 17 December 2024, 2 months ago

Problem/Motivation

This was originally logged as a private issue to the security team, but was cleared to be moved to the public queue

Content with no text format (NULL) can have its text format silently set to something else when the default format is changed and the content is re-saved by an admin.

Steps to reproduce

  1. Go to admin/config/content/formats, drag "Full HTML" to top and save (so it becomes the default format for admin users).
  2. Go to admin/structure/types/manage/article/fields/body, change the text processing to "plain text" and save.
  3. Create an article and fill in the body field.
  4. Now go to admin/structure/types/manage/article/fields/body, change the text processing back to "Filtered text (user selects text format)" and save.
  5. As an administrator, edit the article and make no changes to anything, just scroll down and hit the save button.
  6. Result: The content is silently switched to Full HTML.

Proposed resolution

To really fix the root cause of this bug - make sure there is no scenario where formatted text can be stored with a NULL text format (because that actually doesn't make any sense). This would mean addressing the bug in the field UI that allows it to happen in the first place, doing something to fix historical cases in the database, etc.

With that, we could safely go ahead with patch #7 as the actual security fix (as a secure fallback for any cases we missed).

Remaining tasks

Re-roll as a merge request.
Update the field UI as in the proposed solution.

User interface changes

N/A

Introduced terminology

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

To be provided.

Background information

List of people who worked on the private issue:

  • David_Rothstein
  • greggles
  • dokumori
  • dstol
  • mlhess
  • tsphethean
  • cashwilliams
  • xjm
  • pwolanin
  • larowlan
  • mcdruid
🐛 Bug report
Status

Needs work

Version

7.0 ⚰️

Component

field system

Created by

🇧🇪Belgium BramDriesen Belgium 🇧🇪

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024