#Needs security review

Open on Drupal.org →

⚡️ Live updates comments, jobs, and issues, tagged with #Needs security review will update issues and activities on this page.

Issues

🐛
The Content overview page filters out unpublished nodes when a node access module is enabled
Needs work
Drupal core 11.0 — node system
Created 6 months ago
🇭🇺Hungary mxr576
14 days ago
📌
[policy, no patch] Secondary subdomain for viewing oEmbed content is confusing and pointless
Active
Drupal core 11.0 — media system
Created over 3 years ago
🇺🇸United States phenaproxima
23 days ago
🌱
Security review of secure signing components for package manager
Needs review
Drupal core 11.0 — update.module
Created over 1 year ago
🇺🇸United States hestenet
29 days ago
🐛
Dots in query parameter names converted to underscores
Needs work
Drupal core 9.5 — menu system
Created over 6 years ago
🇺🇸United States awolfey
about 1 month ago
🐛
ValidReferenceConstraintValidator should not try to enforce data integrity on pre-existing references
Needs work
Drupal core 11.0 — entity_reference.module
Created over 6 years ago
🇩🇪Germany nghai
about 1 month ago
📌
Don't automatically set a cookie domain
Needs review
Drupal core 10.1 — base system
Created almost 7 years ago
🇬🇧United Kingdom alexpott
about 2 months ago
✨
Allow to change upload formats for managed_file
Needs work
Menu Link Attributes 1.0
Created over 1 year ago
🇺🇦Ukraine NotifyOne
3 months ago
📌
Security review for 8.x-1.0
Active
Resource Hints 1.0
Created almost 8 years ago
🇺🇸United States bighappyface
4 months ago
🌱
Consider using phpstorage for update module
Closed: outdated
Drupal core 11.0 — update.module
Created over 8 years ago
🇬🇧United Kingdom catch
5 months ago
🐛
User must be logged-in to use the cancel account link that is emailed
Needs work
Drupal core 11.0 — user.module
Created almost 8 years ago
🇬🇧United Kingdom xiwar
6 months ago
✨
Allow the use of symlinks within the files directory.
Needs work
Drupal core 11.0 — file system
Created almost 14 years ago
🇺🇸United States tekante
7 months ago
🐛
Should "iFrame domain" also set "X-Frame-Options" header
Needs work
Drupal core 11.0 — media system
Created over 5 years ago
🇺🇸United States osman
7 months ago
📌
Password reset form error makes no sense when the account is locked
Needs work
Drupal core 11.0 — user system
Created over 1 year ago
🇨🇳China xiukun.zhou
7 months ago
🐛
Url only outputs the last value of a query parameter
Needs work
Drupal core 11.0 — routing system
Created over 5 years ago
🇵🇱Poland blazey
7 months ago
🐛
"Restrict images to this site" restricts images that, by definition, *are* on this site.
Needs work
Drupal core 11.0 — filter.module
Created about 6 years ago
🇺🇸United States Ben Coleman
8 months ago
🐛
Avoid overwriting .htaccess changes during scaffolding > security problem
Needs work
Drupal core 11.0 — composer
Created about 5 years ago
🇺🇸United States becw
8 months ago
📌
[PP-1] Add security checking for Symfony Mailer transports
Postponed
Drupal core 11.0 — mail system
Created about 1 year ago
🇬🇧United Kingdom adamps
about 1 year ago
✨
Allow README.md to optionally render as the project page
Fixed
Drupal.org customizations 3.0
Created over 12 years ago
🇺🇸United States cashwilliams
about 1 year ago
🐛
Stream wrappers don't decode url encoded URIs
Needs work
Drupal core 9.5 — file system
Created over 12 years ago
🇨🇭Switzerland berdir
about 1 year ago
💬
Apply for Drupal Security Advisory Coverage
Closed: duplicate
Advanced Link Attributes 2.5
Created over 1 year ago
🇨🇦Canada aastrong
about 1 year ago
📌
Please opt into security advisory coverage
Closed: duplicate
Widen Collective 1.0
Created about 7 years ago
🇺🇸United States john.oltman
over 1 year ago
🐛
text_summary() returns a plain string, even if passed a MarkupInterface object
Needs work
Drupal core 11.0 — text.module
Created over 5 years ago
🇺🇸United States effulgentsia
over 1 year ago
🐛
Allow password reset on account with the username matching another email; prevent registrations that match another account
Needs work
Drupal core 11.0 — user.module
Created almost 13 years ago
🇺🇸United States hefox
over 1 year ago
📌
Deprecate the "Full HTML" text format in Standard and Umami in favor of a "content editor HTML" for content editor roles
Active
Drupal core 11.0 — filter.module
Created almost 5 years ago
🇦🇺Australia larowlan
over 1 year ago
✨
Create a global "kill switch" for Package Manager?
Active
Automatic Updates 3.0
Created over 2 years ago
🇺🇸United States phenaproxima
over 1 year ago
✨
Allow selection of which folder a file is to on the file/add form
Needs review
File Entity (fieldable files) 2.0
Created over 11 years ago
🇺🇸United States dave reid
over 1 year ago
📌
Add YAML support to serialization module
Needs work
Drupal core 10.1 — serialization.module
Created almost 12 years ago
🇬🇧United Kingdom damiankloip
almost 2 years ago
📌
Do not use the .php extension in mtime protected storage to work around bogus PHP extensions
Postponed: needs info
Drupal core 10.1 — base system
Created over 4 years ago
ayushst
almost 2 years ago
🐛
make x-frame-options configurable
Postponed
Drupal core 10.1 — request processing system
Created almost 9 years ago
🇨🇭Switzerland yobottehg
almost 2 years ago
🐛
The XSS filter should allow more HTML entities
Needs work
Drupal core 10.1 — base system
Created about 5 years ago
🇨🇿Czech Republic martin_klima
almost 2 years ago
🐛
MapItem unserialize function in setValue method should allow TranslatableMarkup class
Needs work
Drupal core 10.1 — field system
Created over 5 years ago
🇭🇷Croatia xSDx
almost 2 years ago
🐛
Xss::filter() does not handle HTML tags inside attribute values
Closed: duplicate
Drupal core 10.1 — filter.module
Created over 3 years ago
🇬🇧United Kingdom longwave
almost 2 years ago
✨
Drupal 10 compatibility
Fixed
jQuery UI 1.0
Created over 2 years ago
🇺🇸United States effulgentsia
almost 2 years ago
🐛
\Drupal\Core\Security\PharExtensionInterceptor is incompatible with GeoIP and other libraries that use phar aliases or Phar::mapPhar()
Needs work
Drupal core 10.1 — bootstrap system
Created almost 6 years ago
🇺🇸United States samuel.mortenson
almost 2 years ago
🐛
User email should not be case sensitive
Postponed
Drupal core 10.1 — user.module
Created over 9 years ago
tvn
almost 2 years ago
🐛
htmlspecialchars() expects parameter 1 to be string, array given
Needs work
Drupal core 9.5 — markup
Created over 5 years ago
🇧🇬Bulgaria Plamen.Penev
over 1 year ago

Activities

No activities found.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024

#Needs security review

Issues

The Content overview page filters out unpublished nodes when a node access module is enabledNeeds workDrupal core 11.0 — node system Created 6 months ago

[policy, no patch] Secondary subdomain for viewing oEmbed content is confusing and pointlessActiveDrupal core 11.0 — media system Created over 3 years ago

Security review of secure signing components for package managerNeeds reviewDrupal core 11.0 — update.module Created over 1 year ago

Dots in query parameter names converted to underscoresNeeds workDrupal core 9.5 — menu system Created over 6 years ago

ValidReferenceConstraintValidator should not try to enforce data integrity on pre-existing referencesNeeds workDrupal core 11.0 — entity_reference.module Created over 6 years ago

Don't automatically set a cookie domainNeeds reviewDrupal core 10.1 — base system Created almost 7 years ago

Allow to change upload formats for managed_fileNeeds workMenu Link Attributes 1.0 Created over 1 year ago

Security review for 8.x-1.0ActiveResource Hints 1.0 Created almost 8 years ago

Consider using phpstorage for update moduleClosed: outdatedDrupal core 11.0 — update.module Created over 8 years ago

User must be logged-in to use the cancel account link that is emailedNeeds workDrupal core 11.0 — user.module Created almost 8 years ago

Allow the use of symlinks within the files directory.Needs workDrupal core 11.0 — file system Created almost 14 years ago

Should "iFrame domain" also set "X-Frame-Options" header Needs workDrupal core 11.0 — media system Created over 5 years ago

Password reset form error makes no sense when the account is lockedNeeds workDrupal core 11.0 — user system Created over 1 year ago

Url only outputs the last value of a query parameterNeeds workDrupal core 11.0 — routing system Created over 5 years ago

"Restrict images to this site" restricts images that, by definition, *are* on this site.Needs workDrupal core 11.0 — filter.module Created about 6 years ago

Avoid overwriting .htaccess changes during scaffolding > security problemNeeds workDrupal core 11.0 — composer Created about 5 years ago

[PP-1] Add security checking for Symfony Mailer transportsPostponedDrupal core 11.0 — mail system Created about 1 year ago

Allow README.md to optionally render as the project pageFixedDrupal.org customizations 3.0 Created over 12 years ago

Stream wrappers don't decode url encoded URIsNeeds workDrupal core 9.5 — file system Created over 12 years ago

Apply for Drupal Security Advisory Coverage Closed: duplicateAdvanced Link Attributes 2.5 Created over 1 year ago

Please opt into security advisory coverageClosed: duplicateWiden Collective 1.0 Created about 7 years ago

text_summary() returns a plain string, even if passed a MarkupInterface objectNeeds workDrupal core 11.0 — text.module Created over 5 years ago

Allow password reset on account with the username matching another email; prevent registrations that match another accountNeeds workDrupal core 11.0 — user.module Created almost 13 years ago

Deprecate the "Full HTML" text format in Standard and Umami in favor of a "content editor HTML" for content editor rolesActiveDrupal core 11.0 — filter.module Created almost 5 years ago

Create a global "kill switch" for Package Manager?ActiveAutomatic Updates 3.0 Created over 2 years ago

Allow selection of which folder a file is to on the file/add formNeeds reviewFile Entity (fieldable files) 2.0 Created over 11 years ago

Add YAML support to serialization moduleNeeds workDrupal core 10.1 — serialization.module Created almost 12 years ago

Do not use the .php extension in mtime protected storage to work around bogus PHP extensionsPostponed: needs infoDrupal core 10.1 — base system Created over 4 years ago

make x-frame-options configurablePostponedDrupal core 10.1 — request processing system Created almost 9 years ago

The XSS filter should allow more HTML entitiesNeeds workDrupal core 10.1 — base system Created about 5 years ago

MapItem unserialize function in setValue method should allow TranslatableMarkup classNeeds workDrupal core 10.1 — field system Created over 5 years ago

Xss::filter() does not handle HTML tags inside attribute valuesClosed: duplicateDrupal core 10.1 — filter.module Created over 3 years ago

Drupal 10 compatibilityFixedjQuery UI 1.0 Created over 2 years ago

\Drupal\Core\Security\PharExtensionInterceptor is incompatible with GeoIP and other libraries that use phar aliases or Phar::mapPhar()Needs workDrupal core 10.1 — bootstrap system Created almost 6 years ago

User email should not be case sensitivePostponedDrupal core 10.1 — user.module Created over 9 years ago

htmlspecialchars() expects parameter 1 to be string, array givenNeeds workDrupal core 9.5 — markup Created over 5 years ago

Activities

The Content overview page filters out unpublished nodes when a node access module is enabled
Needs work
Drupal core 11.0 — node system
Created 6 months ago

[policy, no patch] Secondary subdomain for viewing oEmbed content is confusing and pointless
Active
Drupal core 11.0 — media system
Created over 3 years ago

Security review of secure signing components for package manager
Needs review
Drupal core 11.0 — update.module
Created over 1 year ago

Dots in query parameter names converted to underscores
Needs work
Drupal core 9.5 — menu system
Created over 6 years ago

ValidReferenceConstraintValidator should not try to enforce data integrity on pre-existing references
Needs work
Drupal core 11.0 — entity_reference.module
Created over 6 years ago

Don't automatically set a cookie domain
Needs review
Drupal core 10.1 — base system
Created almost 7 years ago

Allow to change upload formats for managed_file
Needs work
Menu Link Attributes 1.0
Created over 1 year ago

Security review for 8.x-1.0
Active
Resource Hints 1.0
Created almost 8 years ago

Consider using phpstorage for update module
Closed: outdated
Drupal core 11.0 — update.module
Created over 8 years ago

User must be logged-in to use the cancel account link that is emailed
Needs work
Drupal core 11.0 — user.module
Created almost 8 years ago

Allow the use of symlinks within the files directory.
Needs work
Drupal core 11.0 — file system
Created almost 14 years ago

Should "iFrame domain" also set "X-Frame-Options" header
Needs work
Drupal core 11.0 — media system
Created over 5 years ago

Password reset form error makes no sense when the account is locked
Needs work
Drupal core 11.0 — user system
Created over 1 year ago

Url only outputs the last value of a query parameter
Needs work
Drupal core 11.0 — routing system
Created over 5 years ago

"Restrict images to this site" restricts images that, by definition, are on this site.
Needs work
Drupal core 11.0 — filter.module
Created about 6 years ago

Avoid overwriting .htaccess changes during scaffolding > security problem
Needs work
Drupal core 11.0 — composer
Created about 5 years ago

[PP-1] Add security checking for Symfony Mailer transports
Postponed
Drupal core 11.0 — mail system
Created about 1 year ago

Allow README.md to optionally render as the project page
Fixed
Drupal.org customizations 3.0
Created over 12 years ago

Stream wrappers don't decode url encoded URIs
Needs work
Drupal core 9.5 — file system
Created over 12 years ago

Apply for Drupal Security Advisory Coverage
Closed: duplicate
Advanced Link Attributes 2.5
Created over 1 year ago

Please opt into security advisory coverage
Closed: duplicate
Widen Collective 1.0
Created about 7 years ago

text_summary() returns a plain string, even if passed a MarkupInterface object
Needs work
Drupal core 11.0 — text.module
Created over 5 years ago

Allow password reset on account with the username matching another email; prevent registrations that match another account
Needs work
Drupal core 11.0 — user.module
Created almost 13 years ago

Deprecate the "Full HTML" text format in Standard and Umami in favor of a "content editor HTML" for content editor roles
Active
Drupal core 11.0 — filter.module
Created almost 5 years ago

Create a global "kill switch" for Package Manager?
Active
Automatic Updates 3.0
Created over 2 years ago

Allow selection of which folder a file is to on the file/add form
Needs review
File Entity (fieldable files) 2.0
Created over 11 years ago

Add YAML support to serialization module
Needs work
Drupal core 10.1 — serialization.module
Created almost 12 years ago

Do not use the .php extension in mtime protected storage to work around bogus PHP extensions
Postponed: needs info
Drupal core 10.1 — base system
Created over 4 years ago

make x-frame-options configurable
Postponed
Drupal core 10.1 — request processing system
Created almost 9 years ago

The XSS filter should allow more HTML entities
Needs work
Drupal core 10.1 — base system
Created about 5 years ago

MapItem unserialize function in setValue method should allow TranslatableMarkup class
Needs work
Drupal core 10.1 — field system
Created over 5 years ago

Xss::filter() does not handle HTML tags inside attribute values
Closed: duplicate
Drupal core 10.1 — filter.module
Created over 3 years ago

Drupal 10 compatibility
Fixed
jQuery UI 1.0
Created over 2 years ago

\Drupal\Core\Security\PharExtensionInterceptor is incompatible with GeoIP and other libraries that use phar aliases or Phar::mapPhar()
Needs work
Drupal core 10.1 — bootstrap system
Created almost 6 years ago

User email should not be case sensitive
Postponed
Drupal core 10.1 — user.module
Created over 9 years ago

htmlspecialchars() expects parameter 1 to be string, array given
Needs work
Drupal core 9.5 — markup
Created over 5 years ago