Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
There is an XSS vulnerability in the league/commonmark library in versions < 0.18.1: https://github.com/thephpleague/commonmark/issues/337.
It has been fixed in version 0.18.1. However, for markdown version 8.x-1.x the required version of this library is ^0.15.0. We need to update to the latest version and since it is a jump from 0.15 to 0.18, we need to rigorously test it to make sure it does not have any breaking changes which could make the module unusable.
Comment | File | Size | Author |
---|---|---|---|
#15 | 3024662-15.patch | 322 bytes | kim.pepper |
#6 | markdown-3024662-6.patch | 322 bytes | ptmkenny |
Comments
Comment #2
shabana.navas CreditAttribution: shabana.navas at Acro Commerce commentedComment #3
markhalliwellVersion management of external libraries is handled by composer. You can already install a higher version if you need to (in this case for sec reasons).
I follow that project fairly closely and Colin has already promised that the 0.x versions will remain BC from 0.15 onward.
I already have plans to update the "install" version to the latest release in #2952435: Merge in the CommonMark project (which I'm still working on, albeit... not my biggest priority ATM).
Comment #4
markhalliwellRegardless, this still needs to happen. Best to not forget about it, just in case.
Comment #5
ptmkenny CreditAttribution: ptmkenny commentedI tried to update commonmark with composer, but when I run
composer update league/commonmark
, I get "nothing to update."So I tried to install it manually like this:
This particular example is from 1.2, but I get a similar error with 2.0-alpha1.
Comment #6
ptmkenny CreditAttribution: ptmkenny commentedAttaching a patch for 1.x-dev. Unfortunately, this doesn't work as a patch until the module has a release, because by the time the module is patched, composer has already calculated the dependencies.
Comment #7
kim.pepper@markcarver As per #5 It's still not possible to install this with a secure version of league/commonmark
Bumping to critical because of this.
Comment #8
kim.pepperComment #9
geek-merlinTo sort this out: it looks to me that this is fixed:
* composer.json · 8.x-2.0-alpha1 · project / markdown · GitLab has "league/commonmark": "^0.17.1|^1.0"
* composer.json · 8.x-2.x · project / markdown · GitLab has "league/commonmark": ">=0.18.0"
whyever... what do you say?
Comment #10
kim.pepperAccording to https://github.com/thephpleague/commonmark/issues/337 this is fixed in 0.18.1. The current recommended version of 2.0-alpha1 has a version constraint "league/commonmark": "^0.17.1|^1.0" which does not allow you to install ^0.18.1.
I get the following error when using the 2.x dev version
Fatal error: Declaration of Drupal\markdown\Plugin\Markdown\Extension\AtAutolinker::getCharacters() must be compatible with League\CommonMark\Inline\Parser\InlineParserInterface::getCharacters(): array in /data/app/modules/contrib/markdown/src/Plugin/Markdown/Extension/AtAutolinker.php on line 23
Comment #11
mxr576Can we get this fix merged?
Comment #12
geek-merlin> The current recommended version of 2.0-alpha1 has a version constraint "league/commonmark": "^0.17.1|^1.0" which does not allow you to install ^0.18.1.
Ah OK, get it: According to the composer docs
^0.17.1
means <0.18...> Can we get this fix merged?
The fix is in dev, so we should issue-request a stable release...
> I get the following error when using the 2.x dev version
...after that bug is fixed.
Please open an issue for it!
Comment #13
mxr576As I can see there is patch for #10 in https://www.drupal.org/project/markdown/issues/3048976
Comment #14
malcolm_p CreditAttribution: malcolm_p commentedIt sounds like the 1.x version needs to be updated to ~0.15.0 < 0.19.0 based on the 0.19 breaking change.
Comment #15
kim.pepperThis was originally posted as a 8.x-1.x issue and it still applies to that branch, so switching it back.
Comment #16
markhalliwellComment #18
markhalliwell