Closed (fixed)
Project:
Coder
Version:
6.x-1.x-dev
Component:
Review/Rules
Priority:
Critical
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
8 Oct 2008 at 22:04 UTC
Updated:
22 Aug 2010 at 20:30 UTC
Several modules were incorrectly updated to the D6 menu API, resulting in security vulnerabilities (SA-2008-063). Coder should check for this apparently quite common mistake. Here's a rule based on the regex that pwolanin used to find the vulnerable modules (although there were a small number of false positives).
I'm not sure if this belongs in the 6x review or the security review; the attached patch puts it in 6x.
| Comment | File | Size | Author |
|---|---|---|---|
| coder-6x-menu-access.patch | 1.34 KB | john morahan |
Comments
Comment #1
john morahan commentedgrr, they moved. SA-2008-063, SA-2008-062, SA-2008-054
see also #319360: Harden checking of 'access callback' in menu system API
Comment #2
john morahan commentedAny chance of getting this committed? There was another instance of this security vulnerability last week: SA-CONTRIB-2009-014
Comment #3
stella commentedCommitted to 6.x-2.x and 7.x branches, along with tests.