Access site reports gives access to watchdog, which in turn gives access to error messages and things like content titles without any access restrictions at all, so it should probably have the 'give to trusted roles only' warning on it. Coming here from #965078: HTTP request checking is unreliable and should be removed in favor of watchdog() calls.

CommentFileSizeAuthor
#21 drupal-access_report_perm-2012468-21.patch432 bytesjoshi.rohit100
#19 drupal-access_report_perm-2012468-19.patch503 bytesjoshi.rohit100
#11 drupal-access_report_perm-2012468-11.patch432 bytesDavid_Rothstein
#6 drupal-access_report_perm-2012468-6.patch382 bytesplach
#4 d7-access_site_reports_trusted-2012468-1.txt433 bytesblueminds
#4 d8-access_site_reports_trusted-2012468-1.patch383 bytesblueminds
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Priority: Normal » Critical
Issue summary: View changes
Issue tags: +Needs backport to D7

It would be a good idea to resolve this before Drupal 8 is released, especially given #965078: HTTP request checking is unreliable and should be removed in favor of watchdog() calls - the fact that D8 is logging URLs potentially including passwords or tokens in the logs is really not so different from something like https://drupal.org/node/912412, and bigger than basic access bypass issues (e.g. with node titles).

I agree this should probably just be marked a trusted permission... It's not ever going to be possible to keep all sensitive information out of the logs entirely (or desirable).

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Issue tags: +Security improvements
catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Issue tags: +Novice
blueminds’s picture

blueminds CreditAttribution: blueminds commented
Status: Active » Needs review
FileSize
d8-access_site_reports_trusted-2012468-1.patch383 bytes
d7-access_site_reports_trusted-2012468-1.txt433 bytes

Please see attached patches.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented

Shouldn't it be TRUE, rather than FALSE?

plach’s picture

plach
he/him
Primary language Italian
Location Venezia
CreditAttribution: plach commented
FileSize
drupal-access_report_perm-2012468-6.patch382 bytes

Addressed #5

marco’s picture

marco CreditAttribution: marco commented
Status: Needs review » Reviewed & tested by the community
Issue tags: +DrupalDays Milano 2014

I've verified #6, 'restrict access' needs to be TRUE.

B31’s picture

B31 CreditAttribution: B31 commented

I've verified #6, too. I confirm that 'restrict access' needs to be TRUE.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

I committed this to HEAD. It may not be a bad idea to add a code comment explain "why"?

  • Commit 8f7c864 on 8.x by Dries: 
    Issue #2012468 by blueminds, plach: Add trusted roles recommendation to...
David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Version: 8.x-dev » 7.x-dev
Status: Fixed » Needs review
Issue tags: +7.29 release blocker
FileSize
drupal-access_report_perm-2012468-11.patch432 bytes

This is https://drupal.org/PSA-2014-002 and was already marked for D7 backport, so here's the patch.

dcam’s picture

dcam CreditAttribution: dcam commented
Status: Needs review » Reviewed & tested by the community

I've reviewed #11. It correctly adds the "Give to trusted roles only" warning to the View site reports permission in D7. It's also the exact same change that went into D8. #11 is RTBC.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 11: drupal-access_report_perm-2012468-11.patch, failed testing.

dcam’s picture

dcam CreditAttribution: dcam commented
Status: Needs work » Needs review

11: drupal-access_report_perm-2012468-11.patch queued for re-testing.

dcam’s picture

dcam CreditAttribution: dcam commented
Status: Needs review » Reviewed & tested by the community

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 11: drupal-access_report_perm-2012468-11.patch, failed testing.

dcam’s picture

dcam CreditAttribution: dcam commented
Status: Needs work » Needs review

11: drupal-access_report_perm-2012468-11.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, 11: drupal-access_report_perm-2012468-11.patch, failed testing.

joshi.rohit100’s picture

joshi.rohit100
he/him
Primary language Hindi
Location Delhi, India
CreditAttribution: joshi.rohit100 commented
Status: Needs work » Needs review
FileSize
drupal-access_report_perm-2012468-19.patch503 bytes

Updated the patch for D7. Added 'warning' attribute.

Status: Needs review » Needs work

The last submitted patch, 19: drupal-access_report_perm-2012468-19.patch, failed testing.

joshi.rohit100’s picture

joshi.rohit100
he/him
Primary language Hindi
Location Delhi, India
CreditAttribution: joshi.rohit100 commented
Status: Needs work » Needs review
FileSize
drupal-access_report_perm-2012468-21.patch432 bytes

rerolled #11.
I think, this test case is not relevent here.

dcam’s picture

dcam CreditAttribution: dcam commented
Status: Needs review » Reviewed & tested by the community

I'm not sure what was going on with #19 and #21. #11 didn't need a reroll and is still RTBC for D7.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 21: drupal-access_report_perm-2012468-21.patch, failed testing.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Status: Needs work » Reviewed & tested by the community
joshi.rohit100’s picture

joshi.rohit100
he/him
Primary language Hindi
Location Delhi, India
CreditAttribution: joshi.rohit100 commented

21: drupal-access_report_perm-2012468-21.patch queued for re-testing.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 21: drupal-access_report_perm-2012468-21.patch, failed testing.

plach’s picture

plach
he/him
Primary language Italian
Location Venezia
CreditAttribution: plach commented
Status: Needs work » Needs review

21: drupal-access_report_perm-2012468-21.patch queued for re-testing.

dcam’s picture

dcam CreditAttribution: dcam commented
Status: Needs review » Reviewed & tested by the community

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 21: drupal-access_report_perm-2012468-21.patch, failed testing.

Status: Needs work » Needs review

joshi.rohit100 queued 21: drupal-access_report_perm-2012468-21.patch for re-testing.

dcam’s picture

dcam CreditAttribution: dcam commented
Status: Needs review » Reviewed & tested by the community

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 21: drupal-access_report_perm-2012468-21.patch, failed testing.

Status: Needs work » Needs review

mgifford queued 21: drupal-access_report_perm-2012468-21.patch for re-testing.

dcam’s picture

dcam CreditAttribution: dcam commented
Status: Needs review » Reviewed & tested by the community
David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Status: Reviewed & tested by the community » Fixed
Issue tags: -7.29 release blocker +7.30 release notes

7.29 was a security release, but I went ahead and committed this now to get it into 7.30 (since it's harmless and related to the above-mentioned PSA).

Someone could create a separate followup issue for both D7 and D8 for the suggestion by Dries above (to add a code comment).

  • David_Rothstein committed eb49a5d on 7.x 
    Issue #2012468 by joshi.rohit100, blueminds, David_Rothstein, plach |...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.