- ๐บ๐ธUnited States cmlara
As a site owner, I'm going to miss Parentheses, Ampersand and Space., A little less Brackets, Pound Sign and Exclamation Point though I encounter them.
As a security engineer: This is not a bad hardening, however it is certainly not a fix for wherever the faults actually occur.
As someone who has used this in the past to perform sample RCE's against site setups; I can say yes this would make it much harder to exploit.
I also wish to reiterate that for these characters to cause issue someone has had to make some very serious mistakes down stream, mistakes that this change likely does not actually remove the vulnerabilities , just at most makes it significantly harder to exploit (move from Basic to Complex, saving 1 point on the Drupal Vulnerability Scoring ) and maybe move the Impacted Environment from All to Uncommon (2 points on the Drupal Score scale).
I agree with @smustgrave the 'excluded' ideas would be nice to have listed for historical purposes.
- ๐บ๐ธUnited States smustgrave
Can whatโs not making it in be scratched from the proposed solutio
- ๐ฆ๐บAustralia kim.pepper ๐โโ๏ธ๐ฆ๐บSydney, Australia
I think we agreed on stripping special characters. It was more about which characters to strip. I have a feeling stripping whitespace might be contentious.
- ๐บ๐ธUnited States smustgrave
Mean the proposed solution read like there were several approaches? Unless I read that wrong
- ๐ฆ๐บAustralia kim.pepper ๐โโ๏ธ๐ฆ๐บSydney, Australia
Looking at the solution were all options taken?
Do you mean are all the special characters included?
- ๐จ๐ญSwitzerland berdir Switzerland
We can probably identify a few more patterns that we can exclude other than just form, such as entity view and so on.
Looking at the test fails, most have a few but many are repeating very often. If we fix a few of, e.g. system, user and entity routes them then we might get a better picture of how big the impact really is.
Considering recent contrib security issues, I think it's worth exploring this bit. I think the entity query access change was at least as impactful. this is mostly about a single file per module and easier to identify than those entity queries.
- ๐ท๐ดRomania vasike Ramnicu Valcea
As Drupal 7.x and also modules 7.x versions "ended their lives", closing the 7.x issues.
And thanks for participating and using the module.
p.s. if this still an issue on the latest 2.x version, please feel free to re-open and update the version accordingly.
p.s.2. I know it's a S issue ... but ...
- ๐บ๐ธUnited States smustgrave
Tests appear to be there so removing that tag.
Looking at the solution were all options taken?
Automatically closed - issue fixed for 2 weeks with no activity.
- ๐ฌ๐งUnited Kingdom catch
I forgot this issue existed and opened ๐ Require password confirmation to install new code Active against project browser. Cross-linking the two issues.