Posted by John Morahan on October 8, 2008 at 10:04pm
Jump to:
| Project: | Coder |
| Version: | 6.x-1.x-dev |
| Component: | Review/Rules |
| Category: | feature request |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
Several modules were incorrectly updated to the D6 menu API, resulting in security vulnerabilities (SA-2008-063). Coder should check for this apparently quite common mistake. Here's a rule based on the regex that pwolanin used to find the vulnerable modules (although there were a small number of false positives).
I'm not sure if this belongs in the 6x review or the security review; the attached patch puts it in 6x.
| Attachment | Size |
|---|---|
| coder-6x-menu-access.patch | 1.34 KB |
Comments
#1
grr, they moved. SA-2008-063, SA-2008-062, SA-2008-054
see also #319360: Harden checking of 'access callback' in menu system API
#2
Any chance of getting this committed? There was another instance of this security vulnerability last week: SA-CONTRIB-2009-014
#3
Committed to 6.x-2.x and 7.x branches, along with tests.
#4
Automatically closed -- issue fixed for 2 weeks with no activity.