Security fixes for sa-contrib-2025-047 not applied to 2.x!

Created on 14 May 2025, about 1 month ago

Problem/Motivation

The security fixes from SA-CONTRIB-2025-047 → were not applied to 2.x, meaning it's still vulnerable. The branch is in use and is the main target for new issues, so it should either be marked unsupported, or be patched.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Active

Version

2.0

Component

Code

Created by

solideogloria

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Comments & Activities

Issue created by @solideogloria
Comment about 1 month ago →
solideogloria
Comment about 1 month ago →
solideogloria
See the comparison between 1.x and 2.x:

https://git.drupalcode.org/project/restrict_route_by_ip/-/compare/2.0.x....
Comment about 1 month ago →
solideogloria
Never mind. I was wrong and missed that the CSRF fixes were applied, but none of the other commits were applied. The issue is fixed in 2.x

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024