See SA-CORE-2011-001 - there is an XSS issue in Color module that was fixed in Drupal 7. This fix needs to be applied to the 8.x development branch also.
Most likely just a matter of taking the Color module portions of http://drupalcode.org/project/drupal.git/commitdiff/316bd96 (minus the update function) and applying them to D8. Perhaps could use a test also (to actually verify that it's fixed in D8).
Comments
Comment #1
David_Rothstein CreditAttribution: David_Rothstein commentedRelated issue: #1179426: File module security fixes from SA-CORE-2011-001 not yet applied to Drupal 8
Comment #2
aspilicious CreditAttribution: aspilicious commentedStill needs test.
I'm not going to do this unless someone gives me a complete walkthrough in irc.
Just out of curiosity why are there brackets in form_set_error behind palette?
form_set_error('palette][' ...)
Comment #3
wojtha CreditAttribution: wojtha commented#2 @aspilicious
This is how form_set_error() works. If you have eg.
$form['palette']['color']
, you are setting the form error on color withform_set_error('palette][color', 'Error message');
in case that *palette* is the parent of the *color* - palette has #tree set to TRUE.Powered by Dreditor.
Comment #4
scor CreditAttribution: scor commented@aspilicious: writing tests should be easy enough, you just have to make sure that invalid CSS color codes trigger a form error with the message '%name must be a valid hexadecimal CSS color value'. invalid color codes are for example #abcdefg, #z012345, etc. these tests could also be backported to D7.
Comment #5
aspilicious CreditAttribution: aspilicious commentedI'm on it (at least I'm trying :) )
Comment #6
aspilicious CreditAttribution: aspilicious commentedI can't test on my windows system. Database timeout or something like that.
I tried to make a patch with the help of Swentel.
I'm curious what the testbot will say :)
Comment #7
scor CreditAttribution: scor commentedI doubt this will work, the value of %name is missing from assertText().
and with
'#z012345'
, I meant to write'#z01234'
, that is a 6 digit code but with an invalid character.Comment #8
aspilicious CreditAttribution: aspilicious commentedMaybe this will work... not sure...
Comment #10
aspilicious CreditAttribution: aspilicious commentedHmm lets try to login this time...
Comment #11
aspilicious CreditAttribution: aspilicious commentedComment #12
aspilicious CreditAttribution: aspilicious commentedI think this is ok now. Test needs a better comment or a '.' in the end.
I'm attaching a drupal 7 test only patch.
Drupal 8: patch in #10
Drupal 7: patch in #12
Comment #14
aspilicious CreditAttribution: aspilicious commentedNeeds review for #10
Comment #15
tstoecklerThe test should be backported to D7.
Code review:
I don't like that error message. %name will be something like "Main background" and inserting that, the sentence doesn't sound very good. Also I think we can drop the "CSS" part. Suggestion:
I'm generally not a fan of testing these kind of low-level things, but if we are already testing this, I think we should add a proper set of tests (and a foreach :)).
Maybe:
or whatever the best syntax is.
That said, I tried the patch out and it works.
Comment #16
aspilicious CreditAttribution: aspilicious commentedOk the first two patches contain the tests for D7. One breaks strings the other doesn't
The last patch contains the D8 patch.
Comment #18
aspilicious CreditAttribution: aspilicious commented#16: 1179424-color-security-fix-16.patch queued for re-testing.
Comment #20
aspilicious CreditAttribution: aspilicious commentedLets try to upload this again. (only the D8 version). Stupid test bot...
Comment #21
tstoecklerLooks RTBC to me, but leaving for more reviews.
Comment #22
scor CreditAttribution: scor commentedThat looks good to me too.
Comment #23
webchickBeautiful! Thanks so much, folks!
Committed to 8.x, and committed the tests only to 7.x.
Comment #24
webchickD'oh. Well that'll teach me to commit blindly. :P This fails testbot in 7.x.
Rolled back the 7.x changes. Moving this back to a normal task now.
Comment #25
webchickComment #26
tstoecklerAh sorry, that was because of the changed wording in D8. I should have noted that (which I would, if I had thought of it). Will roll a better test in a minute.
Comment #27
tstoecklerHmm... actually the patch #16-2 from above should be fine. Re-uploading.
Comment #28
tstoecklerComment #29
tstoecklerThis is RTBC. Sorry again for the trouble, which was in part my fault.
Note that this patch is not mine, but aspilicous'.
Comment #30
webchickGreat; thanks for the fast turnaround on this.
Committed to 7.x.
Comment #31
webchickAlso, restoring metadata.
Comment #32
aspilicious CreditAttribution: aspilicious commentedRemoving tags (needs backport to D7 queue cleanup)
Comment #33
tstoecklerActually the last tag is actually useful for historical reference. Restoring that tag.
Comment #34
webchickRestoring the other two, too, for the same reason.