Add test for SA-CORE-2024-002

Created on 30 May 2025, 7 days ago

Problem/Motivation

This is a followup to SA-CORE-2024-002 which affected CKEditor5ImageController.
We should have a test that prevents this vulnerability from being reintroduced.

Steps to reproduce

Proposed resolution

We should add a unit test that replicates the upload conditions that triggered the vulnerability.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

📌 Task

Status

Active

Version

11.0 🔥

Component

ckeditor5.module

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Merge Requests

!12289Add test for SA-CORE-2024-002
Open
🇫🇷France prudloff
updated 6 days ago

Comments & Activities

Issue created by @prudloff
Merge request !12289Apply patch from private issue → (Open) created by prudloff
Pipeline finished with Failed
6 days ago
#510832
Pipeline finished with Success
6 days ago
Total: 787s
#510839
Comment 6 days ago →
🇫🇷France prudloff Lille
I added and updated the patch from the private issue.
People from the "Fixed by" section of https://www.drupal.org/sa-core-2024-002 → should probably be credited.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024