Home » Download » Drupal project » Drupal » Issues

Harden checking of 'access callback' in menu system API

pwolanin - October 10, 2008 - 02:15
Project:Drupal
Version:7.x-dev
Component:menu system
Category:feature request
Priority:critical
Assigned:Unassigned
Status:needs work
Description

SA-2008-63 saw a rash of contrib modules that were improperly updated to the new menu system. The fact that we use booleans for indicating access always allowed or never allow turns out to make it easier than it should to make an access bypass by doing a function call to user_access() (for example).

To harden this piece of the core APi going forward, chx proposed and I implemented a minor modification to the menu system to used defined strings rather than booleans.

» Login or register to post comments

#1

pwolanin - October 10, 2008 - 02:22
Title: Strengthen 'access callback' APi in menu system » Harden checking of 'access callback' in menu system API
Status:active» needs review

pretty simple patch.

AttachmentSizeStatusTest resultOperations
access-callback-harden-D7-319360-1.patch1.91 KBIdleFailed: Failed to run tests.View details | Re-test
Login or register to post comments

#2

webchick - October 11, 2008 - 03:50

Could I have a bit more information? How are contrib modules getting this wrong?

Login or register to post comments

#3

Dave Reid - October 11, 2008 - 03:52

I'm not sure that we should make things a little bit harder when contrib modules can't do access control right. But that's my opinion...

Login or register to post comments

#4

catch - October 11, 2008 - 08:45

People are putting

<?php
'access callback' => user_access('use PHP');
?>

which evaluates as TRUE.

afaik, it doesn't make any more work in contrib, just stops poorly upgraded D5 modules from having access bypasses when they completely ignore how the new menu system works.

Login or register to post comments

#5

pwolanin - October 11, 2008 - 13:01

here's a patch that actually converts the few uses in core.

All tests pass with this patch: 6884 passes, 0 fails, 0 exceptions

@Dave Reid - this patch should make it harder for contrib to get it wrong, but not at all harder to get it right.

AttachmentSizeStatusTest resultOperations
access-callback-harden-D7-319360-5a.patch5.79 KBIdleFailed: 7226 passes, 20 fails, 0 exceptionsView details | Re-test
Login or register to post comments

#6

pwolanin - November 4, 2008 - 13:47
Status:needs review» needs work

looks like this needs work

Login or register to post comments

#7

pwolanin - November 4, 2008 - 14:18

looks like the problem was just soe additional items in a test module that the prior patch misses

AttachmentSizeStatusTest resultOperations
access-callback-harden-D7-319360-7.patch6.49 KBIdleFailed: Failed to apply patch.View details | Re-test
Login or register to post comments

#8

pwolanin - November 4, 2008 - 20:36
Status:needs work» needs review
Login or register to post comments

#9

moshe weitzman - November 7, 2008 - 03:40

IMO, this is a result of people doing a rushed d5 to d6 upgrade. perhaps coder or deadwood contributed to the problem - i don't know. anyway, the problem is gone with d6 => d7 so i really think this is not very useful. IMO, this is babysitting. I don't feel strongly though.

Login or register to post comments

#10

Dries - November 7, 2008 - 18:55

I'm not particularly fond of this patch, to be honest.

Login or register to post comments

#11

System Message - November 16, 2008 - 22:00
Status:needs review» needs work

The last submitted patch failed testing.

Login or register to post comments

#12

webchick - November 17, 2008 - 07:00
Status:needs work» needs review

submitting for re-testing after snafu this afternoon.

Login or register to post comments

#13

System Message - December 9, 2008 - 23:30
Status:needs review» needs work

The last submitted patch failed testing.

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.