This project is not covered by Drupal’s security advisory policy.
The PHP module adds dynamic functionality based on direct PHP input in the following areas:
- A filter format for use with text formats. A PHP Code text format is directly installed with the module.
- Block visibility based on PHP code input.
- Views contextual filter and argument validator plugins based on PHP code input.
Warning
Enabling this module can cause security and performance issues as it allows users to execute PHP code on your site. A much better alternative is creating custom modules for the things you embedded PHP for previously. Such as a custom module defining a block with your own code, rather than a custom block with PHP in it.
The module may break your site
The module has no way to validate the PHP code before executing it. When using the PHP filter, it is very easy to input incorrect code to the page that leads to WSOD (white screen of death) problems. This is caused by running the PHP code leading to fatal errors. In this case nothing is displayed on the page. It is very easy to get into this situation and may require direct access to the server to get out of it.
The module exposes all website data to users with permission to use it
Any user with permission to use the filter will be able to access all data available to Drupal. It is not possible to limit access to personal data or private information or unpublished content for users that have permission to use this filter. Even with many secured servers, it may be possible to scan the server for additional files. If you can read the settings.php file of another Drupal installation, then you will be able to access its database as well.
The module gives very wide access to the server filesystem and executables
Any user with permission to use the filter will be able to run executables through PHP and access and modify all files that the webserver user has access to. With this access, there are a million ways to take control of the site or server.
The module makes other security issues a lot more dangerous
For example, if any of your components have cross site scripting (XSS) issues on pages that also have PHP input capability, that means the XSS is escalated to potential to fully compromise the data and even the whole server, giving access to personal data to hackers.
Your site may become a spam source
A frequent goal of a hacker is to use your server to send spam. Gaining access to PHP will allow the user to send emails at will.
Related
Read more at #1203886: Remove the PHP module from Drupal core.
Project information
Minimally maintained
Maintainers monitor issues, but fast responses are not guaranteed.- Maintenance fixes only
Considered feature-complete by its maintainers. - Project categories: Content editing experience
7,571 sites report using this module- By robloach on , updated
This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.
Releases
8.x-1.2
released 4 April 2024
Works with Drupal: ^9 || ^10
Adding Drupal 10 support while keeping Drupal 9 support. General bugfixes.
Install:
Development version: 8.x-1.x-dev updated 4 Apr 2024 at 12:18 UTC
