Log in to search.
Summary Status Priority Category Version Component Replies Last updatedsort ascending Assigned to Created
Consider using a random seed instead of the session_id for CSRF token generation Needs work Critical Task 8.x-dev base system 27 3 hours 51 min 4 days 19 hours
Remove the optional $skip_anonymous parameter from CsrfTokenGenerator::validate and remove the dependency on current_user service Fixed Normal Task 8.x-dev base system 9 21 hours 20 min 4 days 15 hours
Use +SymLinksIfOwnerMatch instead of +FollowSymLinks option in .htaccess - Security Needs review Normal Feature request 8.x-dev base system 45 1 day 13 hours hswong3i 2 years 7 months
Turn on twig autoescape by default. Needs work Normal Bug report 8.x-dev theme system 57 3 days 4 hours 1 year 5 months
Check for common words in password strength indicators Needs work Normal Feature request 8.x-dev user.module 71 6 days 10 hours 2 years 1 month
filter_html (Xss::filter()) breaks URLs in image captions Needs work Major Bug report 8.x-dev filter.module 17 1 week 2 days Wim Leers 6 months 2 weeks
Improve security of session ID against DB exposure or SQL injection Needs work Critical Task 7.x-dev base system 26 1 week 5 days 3 months 3 weeks
Include defenses against BREACH and other TLS attacks in Drupal core Needs work Critical Task 8.x-dev base system 6 2 weeks 2 days 2 weeks 4 days
Strenghten password hashing mechanism Needs work Normal Task 8.x-dev base system 50 2 weeks 6 days 2 years 10 months
.htaccess protections do not work on Apache 2.4 without mod_access_compat Patch (to be ported) Critical Bug report 7.x-dev base system 52 3 weeks 2 days 1 year 11 months
Use the private filesystem for config directories, and expose a private filesystem path setting in the installer Active Normal Task 8.x-dev configuration system 11 3 weeks 2 days 1 year 2 months
Installing Drupal: better documentation for file permissions Needs work Normal Feature request 8.x-dev install system 53 3 weeks 3 days 4 years 3 weeks
Check usernames that are email addresses more rigidly, only allow if matches email Needs review Major Bug report 8.x-dev user system 17 4 weeks 15 hours 10 months 3 weeks
Allow users to login using either their username OR their e-mail address Needs work Normal Feature request 8.x-dev user.module 94 4 weeks 1 day 7 years 3 months
Figure out override priorities and whether we want global overrides to stick (settings.php overrides don't work on all pages) Needs work Critical Task 8.x-dev configuration system 50 1 month 1 day 1 year 1 month
Potential Vulnerability In DatabaseConnection_mysql Needs review Normal Bug report 8.x-dev database system 3 1 month 3 days 2 years 10 months
Add a web.config to the several directories similar to the .htaccess file Needs work Normal Feature request 8.x-dev base system 14 1 month 3 days 2 years 12 hours
Correctly label all site-owning super-admin permissions Active Normal Task 8.x-dev base system 41 1 month 3 days 4 years 6 months
Run drupal_prepare_form() before the form constructor instead of after Needs work Normal Task 8.x-dev forms system 3 1 month 3 days sun 2 years 2 months
Add (default) limits on password recovery for active users and/or hook Active Normal Feature request 9.x-dev user system 3 1 month 3 days 5 years 6 months
Add a core Drupal.checkMarkup() function like check_markup() Needs work Normal Feature request 8.x-dev javascript 42 1 month 3 days 4 years 7 months
Resulting string format of token_replace(..., array('sanitize' => FALSE)) is undefined Needs work Normal Bug report 8.x-dev token system 30 1 month 3 days 3 years 5 months
locale.module adds wrong js path Needs work Normal Bug report 6.x-dev locale.module 91 1 month 3 days 6 years 1 day
Prevent access to YAML files using .htaccess Needs work Normal Task 8.x-dev configuration system 12 1 month 3 days 1 year 3 weeks
Document the WYSIWYG XSS filtering concept and architecture for developers Active Major Task 8.x-dev editor.module 3 1 month 3 days Wim Leers 2 months 2 weeks
Use httponly cookie support when available Closed (won't fix) Normal Task 6.x-dev user.module 64 1 month 3 days pwolanin 5 years 9 months
Permissions are assumed to be unique among modules, but uniqueness is not enforced Needs work Major Bug report 8.x-dev user.module 102 1 month 2 weeks 4 years 6 months
[policy] How to handle unforeseen diversion of Symfony code in stable/API-locked Drupal core? Closed (duplicate) Normal Task 8.x-dev base system 32 1 month 2 weeks 2 years 2 months
User log Out with external redirect does not log out - Security Risk Active Normal Support request 7.0 user.module 10 1 month 2 weeks 3 years 2 months
Protect WYSIWYG Editors from XSS Without Destroying User Data Closed (fixed) Critical Bug report 8.x-dev editor.module 64 1 month 2 weeks Wim Leers 6 months 4 weeks
Add .php extension to PHP files Needs work Normal Feature request 8.x-dev extension system 98 1 month 3 weeks cweagans 10 years 5 days
Account creation and password reset forms leak user existence Active Normal Task 8.x-dev user.module 2 2 months 1 week 2 months 1 week
Upgrade Twig to 1.15.* from 1.12.* Closed (fixed) Major Task 8.x-dev theme system 15 2 months 3 weeks 3 months 1 week
Core should consistently filter_xss_admin() on $site_slogan and check_plain $site_name Needs work Major Bug report 8.x-dev theme system 130 2 months 4 weeks 4 years 11 months
Hide vulnerable drupal install.php sites from search engines Closed (fixed) Normal Bug report 7.x-dev install system 19 3 months 1 week s.Daniel 1 year 7 months
Testing path for +SymLinksIfOwnerMatch instead of +FollowSymLinks option in .htaccess - Drupal 7.x - Security Patch (to be ported) Normal Feature request 7.x-dev sqlite db driver 6 5 months 2 days 6 months 2 weeks
Testing patch for +SymLinksIfOwnerMatch instead of +FollowSymLinks option in .htaccess - Drupal 6.x - Security Patch (to be ported) Normal Feature request 6.x-dev base system 4 5 months 2 days 6 months 2 weeks
Refactor Attribute classes - Cleanup, Security, and Readability and minor performance Closed (fixed) Normal Task 8.x-dev theme system 50 6 months 1 week 11 months 10 hours
Private file download returns access denied message if the file is attached to an old revision. Needs work Normal Bug report 8.x-dev file.module 31 7 months 1 day 2 years 2 months
Incorrect encoding for error pages. Needs work Minor Bug report 7.x-dev image system 5 7 months 1 day 3 years 1 month
hook_requirements() for un-proteced configuration directories Active Normal Task 8.x-dev configuration system 24 8 months 1 week 1 year 2 months
system_goto_action breaks core APIs Needs work Major Bug report 7.x-dev system.module 203 8 months 2 weeks 4 years 1 month
Mark strings as localizable/translatable (new t()-alike string function that isn't t(), only for potx) Needs work Critical Feature request 9.x-dev base system 18 9 months 1 week 2 years 2 days
Add modular authentication system, including Http Basic; deprecate global $user Closed (fixed) Critical Task 8.x-dev rest.module 168 9 months 1 week 1 year 3 months
Ease security audits of core code Active Normal Task 8.x-dev documentation 5 9 months 2 weeks 9 months 2 weeks
Test the interactive installer Closed (fixed) Major Task 8.x-dev install system 62 10 months 1 week chx 1 year 2 weeks
Allow SimpleTest to test the non-interactive installer Closed (fixed) Major Task 8.x-dev simpletest.module 29 11 months 4 weeks 4 years 5 months
Config staging directory needs a .htaccess file Closed (fixed) Critical Bug report 8.x-dev configuration system 15 1 year 1 month 1 year 2 months
hide usernames from users without the "access user profiles" permission Needs review Normal Feature request 8.x-dev user system 27 1 year 2 months 3 years 9 months
Implement PHP reading/writing secured against "leaky" script Closed (fixed) Critical Task 8.x-dev base system 140 1 year 2 months 1 year 9 months

Pages

Subscribe with RSS Subscribe to Issues for Drupal core