#Needs security review

Open on Drupal.org →

⚡️ Live updates comments, jobs, and issues, tagged with #Needs security review will update issues and activities on this page.

Issues

The last 100 updated issues.

🐛
User must be logged-in to use the cancel account link that is emailed
Needs work
Drupal core 11.0 — user.module
Created over 7 years ago
🇬🇧United Kingdom xiwar
2 days ago
✨
Allow the use of symlinks within the files directory.
Needs work
Drupal core 11.0 — file system
Created over 13 years ago
🇺🇸United States tekante
14 days ago
🐛
Should "iFrame domain" also set "X-Frame-Options" header
Needs work
Drupal core 11.0 — media system
Created over 4 years ago
🇺🇸United States osman
24 days ago
🐛
Dots in query parameter names converted to underscores
Needs work
Drupal core 11.0 — menu system
Created almost 6 years ago
🇺🇸United States awolfey
25 days ago
📌
Password reset form error makes no sense when the account is locked
Needs work
Drupal core 11.0 — user system
Created about 1 year ago
🇨🇳China xiukun.zhou
30 days ago
🐛
Url only outputs the last value of a query parameter
Needs work
Drupal core 11.0 — routing system
Created about 5 years ago
🇵🇱Poland blazey
about 1 month ago
🌱
Security review of secure signing components for package manager
Needs work
Drupal core 11.0 — update.module
Created about 1 year ago
🇺🇸United States hestenet
about 1 month ago
🐛
"Restrict images to this site" restricts images that, by definition, *are* on this site.
Needs work
Drupal core 11.0 — filter.module
Created over 5 years ago
🇺🇸United States Ben Coleman
2 months ago
🐛
Avoid overwriting .htaccess changes during scaffolding > security problem
Needs work
Drupal core 11.0 — composer
Created over 4 years ago
🇺🇸United States becw
2 months ago
🐛
Use TrustedRedirectResponse Error on Multilingual Setup
Needs work
Drupal core 11.0 — routing system
Created over 8 years ago
🇺🇸United States Greg Sims
3 months ago
📌
[policy, no patch] Secondary subdomain for viewing oEmbed content is confusing and pointless
Active
Drupal core 11.0 — media system
Created about 3 years ago
🇺🇸United States phenaproxima
3 months ago
📌
Don't automatically set a cookie domain
Needs work
Drupal core 11.0 — base system
Created over 6 years ago
🇬🇧United Kingdom alexpott
3 months ago
🐛
ValidReferenceConstraintValidator should not try to enforce data integrity on pre-existing references
Needs work
Drupal core 11.0 — entity_reference.module
Created almost 6 years ago
🇩🇪Germany nghai
4 months ago
📌
[PP-1] Add security checking for Symfony Mailer transports
Postponed
Drupal core 11.0 — mail system
Created 9 months ago
🇬🇧United Kingdom AdamPS
7 months ago
✨
Allow README.md to optionally render as the project page
Fixed
Drupal.org customizations 3.0
Created almost 12 years ago
🇺🇸United States cashwilliams
8 months ago
🐛
Stream wrappers don't decode url encoded URIs
Needs work
Drupal core 9.5 — file system
Created about 12 years ago
🇨🇭Switzerland Berdir
9 months ago
💬
Apply for Drupal Security Advisory Coverage
Closed: duplicate
Advanced Link Attributes 2.5
Created 11 months ago
🇨🇦Canada aastrong
9 months ago
📌
Please opt into security advisory coverage
Closed: duplicate
Widen Collective 1.0
Created over 6 years ago
🇺🇸United States john.oltman
9 months ago
🐛
text_summary() returns a plain string, even if passed a MarkupInterface object
Needs work
Drupal core 11.0 — text.module
Created almost 5 years ago
🇺🇸United States effulgentsia
11 months ago
🐛
Allow password reset on account with the username matching another email; prevent registrations that match another account
Needs work
Drupal core 11.0 — user.module
Created over 12 years ago
🇺🇸United States hefox
11 months ago
📌
Deprecate the "Full HTML" text format in Standard and Umami in favor of a "content editor HTML" for content editor roles
Active
Drupal core 11.0 — filter.module
Created over 4 years ago
🇦🇺Australia larowlan
12 months ago
✨
Create a global "kill switch" for Package Manager?
Active
Automatic Updates 3.0
Created about 2 years ago
🇺🇸United States phenaproxima
about 1 year ago
✨
Allow selection of which folder a file is to on the file/add form
Needs review
File Entity (fieldable files) 2.0
Created almost 11 years ago
🇺🇸United States Dave Reid
about 1 year ago
📌
Add YAML support to serialization module
Needs work
Drupal core 10.1 — serialization.module
Created over 11 years ago
🇬🇧United Kingdom damiankloip
over 1 year ago
📌
Do not use the .php extension in mtime protected storage to work around bogus PHP extensions
Postponed: needs info
Drupal core 10.1 — base system
Created almost 4 years ago
ayushst
about 1 year ago
🐛
make x-frame-options configurable
Postponed
Drupal core 10.1 — request processing system
Created over 8 years ago
🇩🇪Germany yobottehg
over 1 year ago
🐛
The XSS filter should allow more HTML entities
Needs work
Drupal core 10.1 — base system
Created over 4 years ago
🇨🇿Czech Republic martin_klima
over 1 year ago
🐛
MapItem unserialize function in setValue method should allow TranslatableMarkup class
Needs work
Drupal core 10.1 — field system
Created about 5 years ago
🇭🇷Croatia xSDx
over 1 year ago
🐛
Xss::filter() does not handle HTML tags inside attribute values
Closed: duplicate
Drupal core 10.1 — filter.module
Created almost 3 years ago
🇬🇧United Kingdom longwave
over 1 year ago
✨
Drupal 10 compatibility
Fixed
jQuery UI 1.0
Created about 2 years ago
🇺🇸United States effulgentsia
over 1 year ago
🐛
\Drupal\Core\Security\PharExtensionInterceptor is incompatible with GeoIP and other libraries that use phar aliases or Phar::mapPhar()
Needs work
Drupal core 10.1 — bootstrap system
Created over 5 years ago
🇺🇸United States samuel.mortenson
over 1 year ago
🐛
User email should not be case sensitive
Postponed
Drupal core 10.1 — user.module
Created about 9 years ago
tvn
over 1 year ago
🐛
htmlspecialchars() expects parameter 1 to be string, array given
Needs work
Drupal core 9.5 — markup
Created almost 5 years ago
🇧🇬Bulgaria Plamen.Penev
about 1 year ago

Activities

The last 7 days of comments and CI jobs.

Comment 2 days ago →
🇫🇷France 5
Maybe we can refactor this cancel confirm route so it asks your password one last time.

Something like changing the link form cancellation_url to /user/login?destination=cancellation_url, which should transparently

if not connected, makes the user land on user login form instead of unattended 403 (making it understand it may login in order to confirm the cancellation of its account)

if connected, makes the user land to the cancellation confirmation page

?
in Drupal core » User must be logged-in to use the cancel account link that is emailed

contrib.social Blog FAQ Discussions

Production build 0.67.2 2024

#Needs security review

Issues

User must be logged-in to use the cancel account link that is emailedNeeds workDrupal core 11.0 — user.module Created over 7 years ago

Allow the use of symlinks within the files directory.Needs workDrupal core 11.0 — file system Created over 13 years ago

Should "iFrame domain" also set "X-Frame-Options" header Needs workDrupal core 11.0 — media system Created over 4 years ago

Dots in query parameter names converted to underscoresNeeds workDrupal core 11.0 — menu system Created almost 6 years ago

Password reset form error makes no sense when the account is lockedNeeds workDrupal core 11.0 — user system Created about 1 year ago

Url only outputs the last value of a query parameterNeeds workDrupal core 11.0 — routing system Created about 5 years ago

Security review of secure signing components for package managerNeeds workDrupal core 11.0 — update.module Created about 1 year ago

"Restrict images to this site" restricts images that, by definition, *are* on this site.Needs workDrupal core 11.0 — filter.module Created over 5 years ago

Avoid overwriting .htaccess changes during scaffolding > security problemNeeds workDrupal core 11.0 — composer Created over 4 years ago

Use TrustedRedirectResponse Error on Multilingual SetupNeeds workDrupal core 11.0 — routing system Created over 8 years ago

[policy, no patch] Secondary subdomain for viewing oEmbed content is confusing and pointlessActiveDrupal core 11.0 — media system Created about 3 years ago

Don't automatically set a cookie domainNeeds workDrupal core 11.0 — base system Created over 6 years ago

ValidReferenceConstraintValidator should not try to enforce data integrity on pre-existing referencesNeeds workDrupal core 11.0 — entity_reference.module Created almost 6 years ago

[PP-1] Add security checking for Symfony Mailer transportsPostponedDrupal core 11.0 — mail system Created 9 months ago

Allow README.md to optionally render as the project pageFixedDrupal.org customizations 3.0 Created almost 12 years ago

Stream wrappers don't decode url encoded URIsNeeds workDrupal core 9.5 — file system Created about 12 years ago

Apply for Drupal Security Advisory Coverage Closed: duplicateAdvanced Link Attributes 2.5 Created 11 months ago

Please opt into security advisory coverageClosed: duplicateWiden Collective 1.0 Created over 6 years ago

text_summary() returns a plain string, even if passed a MarkupInterface objectNeeds workDrupal core 11.0 — text.module Created almost 5 years ago

Allow password reset on account with the username matching another email; prevent registrations that match another accountNeeds workDrupal core 11.0 — user.module Created over 12 years ago

Deprecate the "Full HTML" text format in Standard and Umami in favor of a "content editor HTML" for content editor rolesActiveDrupal core 11.0 — filter.module Created over 4 years ago

Create a global "kill switch" for Package Manager?ActiveAutomatic Updates 3.0 Created about 2 years ago

Allow selection of which folder a file is to on the file/add formNeeds reviewFile Entity (fieldable files) 2.0 Created almost 11 years ago

Add YAML support to serialization moduleNeeds workDrupal core 10.1 — serialization.module Created over 11 years ago

Do not use the .php extension in mtime protected storage to work around bogus PHP extensionsPostponed: needs infoDrupal core 10.1 — base system Created almost 4 years ago

make x-frame-options configurablePostponedDrupal core 10.1 — request processing system Created over 8 years ago

The XSS filter should allow more HTML entitiesNeeds workDrupal core 10.1 — base system Created over 4 years ago

MapItem unserialize function in setValue method should allow TranslatableMarkup classNeeds workDrupal core 10.1 — field system Created about 5 years ago

Xss::filter() does not handle HTML tags inside attribute valuesClosed: duplicateDrupal core 10.1 — filter.module Created almost 3 years ago

Drupal 10 compatibilityFixedjQuery UI 1.0 Created about 2 years ago

\Drupal\Core\Security\PharExtensionInterceptor is incompatible with GeoIP and other libraries that use phar aliases or Phar::mapPhar()Needs workDrupal core 10.1 — bootstrap system Created over 5 years ago

User email should not be case sensitivePostponedDrupal core 10.1 — user.module Created about 9 years ago

htmlspecialchars() expects parameter 1 to be string, array givenNeeds workDrupal core 9.5 — markup Created almost 5 years ago

Activities

User must be logged-in to use the cancel account link that is emailed
Needs work
Drupal core 11.0 — user.module
Created over 7 years ago

Allow the use of symlinks within the files directory.
Needs work
Drupal core 11.0 — file system
Created over 13 years ago

Should "iFrame domain" also set "X-Frame-Options" header
Needs work
Drupal core 11.0 — media system
Created over 4 years ago

Dots in query parameter names converted to underscores
Needs work
Drupal core 11.0 — menu system
Created almost 6 years ago

Password reset form error makes no sense when the account is locked
Needs work
Drupal core 11.0 — user system
Created about 1 year ago

Url only outputs the last value of a query parameter
Needs work
Drupal core 11.0 — routing system
Created about 5 years ago

Security review of secure signing components for package manager
Needs work
Drupal core 11.0 — update.module
Created about 1 year ago

"Restrict images to this site" restricts images that, by definition, are on this site.
Needs work
Drupal core 11.0 — filter.module
Created over 5 years ago

Avoid overwriting .htaccess changes during scaffolding > security problem
Needs work
Drupal core 11.0 — composer
Created over 4 years ago

Use TrustedRedirectResponse Error on Multilingual Setup
Needs work
Drupal core 11.0 — routing system
Created over 8 years ago

[policy, no patch] Secondary subdomain for viewing oEmbed content is confusing and pointless
Active
Drupal core 11.0 — media system
Created about 3 years ago

Don't automatically set a cookie domain
Needs work
Drupal core 11.0 — base system
Created over 6 years ago

ValidReferenceConstraintValidator should not try to enforce data integrity on pre-existing references
Needs work
Drupal core 11.0 — entity_reference.module
Created almost 6 years ago

[PP-1] Add security checking for Symfony Mailer transports
Postponed
Drupal core 11.0 — mail system
Created 9 months ago

Allow README.md to optionally render as the project page
Fixed
Drupal.org customizations 3.0
Created almost 12 years ago

Stream wrappers don't decode url encoded URIs
Needs work
Drupal core 9.5 — file system
Created about 12 years ago

Apply for Drupal Security Advisory Coverage
Closed: duplicate
Advanced Link Attributes 2.5
Created 11 months ago

Please opt into security advisory coverage
Closed: duplicate
Widen Collective 1.0
Created over 6 years ago

text_summary() returns a plain string, even if passed a MarkupInterface object
Needs work
Drupal core 11.0 — text.module
Created almost 5 years ago

Allow password reset on account with the username matching another email; prevent registrations that match another account
Needs work
Drupal core 11.0 — user.module
Created over 12 years ago

Deprecate the "Full HTML" text format in Standard and Umami in favor of a "content editor HTML" for content editor roles
Active
Drupal core 11.0 — filter.module
Created over 4 years ago

Create a global "kill switch" for Package Manager?
Active
Automatic Updates 3.0
Created about 2 years ago

Allow selection of which folder a file is to on the file/add form
Needs review
File Entity (fieldable files) 2.0
Created almost 11 years ago

Add YAML support to serialization module
Needs work
Drupal core 10.1 — serialization.module
Created over 11 years ago

Do not use the .php extension in mtime protected storage to work around bogus PHP extensions
Postponed: needs info
Drupal core 10.1 — base system
Created almost 4 years ago

make x-frame-options configurable
Postponed
Drupal core 10.1 — request processing system
Created over 8 years ago

The XSS filter should allow more HTML entities
Needs work
Drupal core 10.1 — base system
Created over 4 years ago

MapItem unserialize function in setValue method should allow TranslatableMarkup class
Needs work
Drupal core 10.1 — field system
Created about 5 years ago

Xss::filter() does not handle HTML tags inside attribute values
Closed: duplicate
Drupal core 10.1 — filter.module
Created almost 3 years ago

Drupal 10 compatibility
Fixed
jQuery UI 1.0
Created about 2 years ago

\Drupal\Core\Security\PharExtensionInterceptor is incompatible with GeoIP and other libraries that use phar aliases or Phar::mapPhar()
Needs work
Drupal core 10.1 — bootstrap system
Created over 5 years ago

User email should not be case sensitive
Postponed
Drupal core 10.1 — user.module
Created about 9 years ago

htmlspecialchars() expects parameter 1 to be string, array given
Needs work
Drupal core 9.5 — markup
Created almost 5 years ago