Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Sorry for this request: i have this output and i don't understand why - i use pathauto.
How to solve?
The default /node page created by Drupal core is still enabled. With improper setup of node types, this can reveal sensitive information (e.g. using the profile module with automatic publish to front activiated)!
many thanks!
Comment | File | Size | Author |
---|---|---|---|
Is/node available? --- Security risk! | 24.71 KB | bardill |
Comments
Comment #1
malc0mn CreditAttribution: malc0mn commentedPlease refer to: http://drupal.org/node/1033574#comment-5365118
Comment #2
bardill CreditAttribution: bardill commentedMany thanks malc0mn - but it's impossible to understand.
How to solve this check? What is the settings?
Many thanks. b
Comment #3
malc0mn CreditAttribution: malc0mn commentedThis error might not be relevant to you at all. If you have created a custom homepage and set it to be the default homepage in /admin/settings/site-information (all the way at the bottom) then it is relevant.
The solution is simply to unset the standard 'node' page using a hook_menu_alter() and the warning will go away.
In writing this response, I'm reopening the issue and marking it as a bug, as I should add an additional check before issuing this security alert:
Since it is not an issue when actually using the default /node homepage.
Or maybe better avoid running the check alltogether if the default /node page is actually used? Not sure yet though:
In short: check /admin/settings/site-information (I assume you're on D6, given the issue state) and see if the Default front page field is empty or set to 'node'. If that is the case, then you can ignore the warning
Comment #4
bardill CreditAttribution: bardill commentedMany thanks for your time malc0mn. Great!
In /admin/settings/site-information my Default front page field is set with a views path: news
Can i ignore the warning?
Many thanks.
b
Comment #5
malc0mn CreditAttribution: malc0mn commentedNo, then you should implement the hook_menu_alter() to unset() the /node path.
Comment #6
malc0mn CreditAttribution: malc0mn commentedApplied to all branches. Used a different approach though.
Comment #7
bardill CreditAttribution: bardill commentedMany thanks for your continued work.
Comment #9
OnkelTem CreditAttribution: OnkelTem commentedIf this is so common case why not to provide this override in production check module and make it customizable on prod check settings page?
Also is this applies to Drupal 7 or there is another way to "turn off" /node page? If yes, can I change version of this issue to 7.x?
Comment #10
OnkelTem CreditAttribution: OnkelTem commentedAn attempt to draw more attention! :)
Comment #11
malc0mn CreditAttribution: malc0mn commentedI thought about integrating this in prod_check, but however silly and small it is, it really has no place in this module. This would open the door to adding other stuff like this to prod_check, while prod_check's only task is to perform checks and inform you about the status of your setup. That's it :)
Just add the hook to one of your custom modules:
or even better in my opinion:
Clear the cache and you're good to go.
Comment #12
OnkelTem CreditAttribution: OnkelTem commented@malc0mn
Thank you for quick reply and the proposed solution!
Comment #13
OnkelTem CreditAttribution: OnkelTem commentedI created simple module for Drupal 7 which disables 'node' page when it's not a site's frontpage:
http://drupal.org/sandbox/onkeltem/1805684
Comment #14
malc0mn CreditAttribution: malc0mn commentedSee first comment in this thread :-D
Comment #15
OnkelTem CreditAttribution: OnkelTem commented@malc0mn
Lol :)