Contrib.social

Module and theme names are not filtered on output.

Open on Drupal.org →
Created on 19 November 2009, over 14 years ago
Updated 20 June 2024, 5 days ago

Problem/Motivation

Especially with the growth of Features, and the ability to use update module to add/update themes and modules, it seems like a not entirely safe assumption that what's in the .info file is safe text.

Also, there are modules that let you write themes, for example, via a starting from an existing theme as a template. In that case, a user with a lesser admin permission might be able to inject XSS.

We should sanitize all the elements of the .info file that may be displayed (or maybe just all) as a simple hardening.

Steps to reproduce

Create any module like(module_name) , add .info.yml file for eg(module_name.info.yml)

In module_name.info.yml, in the description of module name add script code like this :
description: <script>alert('evil desc');</script>

Now hit the /admin/modules page

You 'll notice script execute

Expected behaviour

If in description of module name added script code like this:
description: <script>alert('evil desc');</script>

then script code should not execute.

Proposed resolution

Sanitize all the elements of the .info file that may be displayed.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Needs review

Version

11.0 🔥

Component
Extension 

Last updated 5 days ago

No maintainer
Created by

🇺🇸United States pwolanin

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    needs-review-queue-bot

    The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

  • Comment about 1 year ago
    🇮🇳India Nikhil_110

    Attached patch against Drupal 10.1.x

    Patch #46 is not applied for Drupal 10 so Inter-diff file is not added.

    Checking patch core/modules/system/src/Form/ModulesListForm.php...
    Hunk #1 succeeded at 21 (offset 1 line).
    Hunk #2 succeeded at 143 (offset 3 lines).
    Hunk #3 succeeded at 208 (offset 8 lines).
    error: while searching for:
    $row['#requires'] = [];
    $row['#required_by'] = [];

    $row['name']['#markup'] = $module->info['name'];
    $row['description']['#markup'] = $this->t($module->info['description']);
    $row['version']['#markup'] = $module->info['version'];

    // Generate link for module's help page. Assume that if a hook_help()
    // implementation exists then the module provides an overview page, rather

    error: patch failed: core/modules/system/src/Form/ModulesListForm.php:247
    error: core/modules/system/src/Form/ModulesListForm.php: patch does not apply
    Checking patch core/modules/system/system.admin.inc...

  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.2 & sqlite-3.34
    last update 8 months ago
    29,506 pass, 62 fail
  • First commit to issue fork.
  • Merge request !7436Issue #637538 : Module and theme names are not filtered on output. → (Open) created by Bhanu951
  • Status changed to Needs review 2 months ago
  • Comment 2 months ago
    🇮🇳India Bhanu951

    Came from http://www.madirish.net/555

    Re-Rolled patch from #46 against 11.x head.

  • Pipeline finished with Canceled
    2 months ago
    Total: 223s
    #143588
  • Status changed to Needs work 2 months ago
  • Comment 2 months ago
    needs-review-queue-bot

    The Needs Review Queue Bot tested this issue.

    While you are making the above changes, we recommend that you convert this patch to a merge request . Merge requests are preferred over patches. Be sure to hide the old patch files as well. (Converting an issue to a merge request without other contributions to the issue will not receive credit.)

  • Pipeline finished with Failed
    2 months ago
    Total: 991s
    #143596
  • First commit to issue fork.
  • Pipeline finished with Failed
    12 days ago
    Total: 542s
    #198079
  • Pipeline finished with Failed
    12 days ago
    Total: 588s
    #198099
  • Pipeline finished with Success
    12 days ago
    Total: 510s
    #198105
  • Comment 12 days ago
    pooja_sharma

    Addressed the test failures & pipeline passed

    Please review , moved NR

  • Status changed to Needs review 12 days ago
  • Comment 12 days ago
    pooja_sharma
  • Status changed to Needs work 8 days ago
  • Comment 8 days ago
    🇺🇸United States smustgrave

    Thanks for continuing to work on this. Will need a test case showing the issue.

  • Pipeline finished with Success
    6 days ago
    Total: 574s
    #202893
  • Pipeline finished with Success
    6 days ago
    #202907
  • Pipeline finished with Success
    6 days ago
    Total: 517s
    #202926
  • Pipeline finished with Success
    6 days ago
    Total: 605s
    #202946
  • Comment 6 days ago
    pooja_sharma

    Added test case .

    Please review , moved NR

  • Status changed to Needs review 6 days ago
  • Comment 6 days ago
    pooja_sharma
  • Status changed to Needs work 5 days ago
  • Comment 5 days ago
    🇺🇸United States smustgrave

    Have not reviewed yet but issue summary appears to be incomplete could that be updated please

    Can use https://www.drupal.org/docs/develop/issues/fields-and-other-parts-of-an-... . for help if needed.

  • Comment 5 days ago
    pooja_sharma
  • Status changed to Needs review 5 days ago
  • Comment 5 days ago
    pooja_sharma
contrib.social Blog FAQ Discussions
Production build 0.69.0 2024