Add check for incorrect use of 'access callback'
John Morahan - October 8, 2008 - 22:04
| Project: | Coder |
| Version: | 6.x-1.x-dev |
| Component: | Review/Rules |
| Category: | feature request |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | needs review |
Jump to:
Description
Several modules were incorrectly updated to the D6 menu API, resulting in security vulnerabilities (SA-2008-063). Coder should check for this apparently quite common mistake. Here's a rule based on the regex that pwolanin used to find the vulnerable modules (although there were a small number of false positives).
I'm not sure if this belongs in the 6x review or the security review; the attached patch puts it in 6x.
| Attachment | Size |
|---|---|
| coder-6x-menu-access.patch | 1.34 KB |
#1
grr, they moved. SA-2008-063, SA-2008-062, SA-2008-054
see also #319360: Harden checking of 'access callback' in menu system API
#2
Any chance of getting this committed? There was another instance of this security vulnerability last week: SA-CONTRIB-2009-014