Several modules were incorrectly updated to the D6 menu API, resulting in security vulnerabilities (SA-2008-063). Coder should check for this apparently quite common mistake. Here's a rule based on the regex that pwolanin used to find the vulnerable modules (although there were a small number of false positives).

I'm not sure if this belongs in the 6x review or the security review; the attached patch puts it in 6x.

CommentFileSizeAuthor
coder-6x-menu-access.patch1.34 KBjohn morahan

Comments

john morahan’s picture

Title: Add check for correct use of 'access callback' » Add check for incorrect use of 'access callback'
john morahan’s picture

Any chance of getting this committed? There was another instance of this security vulnerability last week: SA-CONTRIB-2009-014

stella’s picture

Status: Needs review » Fixed

Committed to 6.x-2.x and 7.x branches, along with tests.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.