Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 UTC on 18 March 2024, to get $100 off your ticket.
The use of PHP_SELF in the determination of the basepath easily leads to XSS, even if check_url is used. Attached patch replaces the use of PHP_SELF with SCRIPT_NAME.
Comment | File | Size | Author |
---|---|---|---|
no_php_self.patch | 3.27 KB | Heine | |
Comments
Comment #1
meba CreditAttribution: meba commentedIs this just for a safety or is D < 6.x vulnerable?
Tested the patch and seems OK
Comment #2
Heine CreditAttribution: Heine commentedD 6 is vulnerable, 4.7 and 5 have already been fixed with DRUPAL-SA-2007-018.
Comment #3
chx CreditAttribution: chx commentedThis is a no-brainer port of what's already released with 4.7 and 5 and definitely needs to go in before beta is rolled.
Comment #4
Gábor HojtsyLook logical and fine. Given that this is a port of an already accepted fix, I committed it right away.
Comment #5
(not verified) CreditAttribution: commented