Contrib.social

Avoid abuse of config sync import tarballs

Open on Drupal.org →
Created on 27 May 2025, 4 days ago

Problem/Motivation

This issue has been discussed with the Drupal Security Team, and approved for handling in public as there is no direct vulnerability / exploit.

It's possible to abuse the config sync import functionality in order to upload malicious files.

In order to access the functionality, a user must have one or more restricted permissions.

At present \Drupal\config\Form\ConfigImportForm will extract the content of an uploaded tarball into the config_sync_directory without any filtering or sanitisation of file attributes.

This means it's possible to include e.g. malicious executable files in the tarball and these will be extracted to the sync directory.

A bad actor would then need a way of actually executing those malicious files, but getting them onto the webserver at a predictable location and with the executable bit in tact could be one step in a chained attack.

Note that it should not be possible to use e.g. directory traversal to extract a file outside the sync directory, but this depends on the implementation in the PEAR Archive_Tar library. There has been at least one relevant vulnerability in the library in the past (e.g. https://github.com/advisories/GHSA-p8q8-jfcv-g2h2 ).

Steps to reproduce

Use the tarball import functionality at /admin/config/development/configuration/full/import to upload a tarball with content other than valid .yml configuration exports.

For example, an executable shell script within the tarball will be extracted into the sync directory.

Proposed resolution

The tarball import should only extract what appear to be valid .yml config files.

It should also sanitise the permissions of imported files; for example ensuring that they are not executable.

Remaining tasks

MR / review / merge etc..

User interface changes

I don't think we need to present error messages when there are files in the tarball that will not be extracted, or permissions that will be sanitised?

Introduced terminology

n/a

API changes

n/a

Data model changes

n/a

Release notes snippet

I don't think this needs a release note, as there is no change to the legitimate functionality.

📌 Task
Status

Active

Version

11.0 🔥

Component

configuration system

Created by

🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @mcdruid
  • Merge request !12251validate filenames and sanitise permissions → (Open) created by mcdruid
  • Comment 4 days ago
    🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
  • Pipeline finished with Failed
    4 days ago
    Total: 164s
    #507487
  • Comment 4 days ago
    🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
  • Pipeline finished with Failed
    4 days ago
    Total: 463s
    #507497
  • Comment 4 days ago
    🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺

    Looks like it's legitimate to have subdirectories within the tarball, based on \Drupal\Tests\config\Functional\ConfigExportImportUITest::testExportImportCollections.

    I'd initially assumed there was only ever a flat list of yml files.

  • Pipeline finished with Success
    4 days ago
    Total: 1986s
    #507528
  • Comment 4 days ago
    🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺

    Existing tests pass with the changes in the MR.

    We should add one or more tests that show:

    • Only .yml files are extracted from the tarball.
    • A file with executable permissions in the tarball is extracted with default (664) permissions into the sync directory.
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024