Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 UTC on 18 March 2024, to get $100 off your ticket.
Problem/Motivation
The help block previously checked menu_tab_root_path() to see if it was on a valid page or not, that was replaced with checking the system path directly.
However, the system path is still specified even if its a 403 or 404, and help blocks have been showing up ever since #2100073: Convert local_actions to the new local action plugins.
Proposed resolution
Fix the test coverage, and check for an exception.
Remaining tasks
N/A
User interface changes
N/A
API changes
N/A
Comment | File | Size | Author |
---|---|---|---|
#1 | help-2245783-1-PASS.patch | 1.61 KB | tim.plunkett |
#1 | help-2245783-1-FAIL.patch | 888 bytes | tim.plunkett |
Comments
Comment #1
tim.plunkettHere's the fix and a test.
Comment #2
xjmI kept reloading this trying to figure out why the bot wasn't picking it up.
Comment #4
xjmLooks good.
Comment #5
xjmTo illustrate the bug, here's
admin/index
before and after the patch when logged out.Before
After
Comment #6
xjmComment #7
tim.plunkettDiscussed with @webchick, decided this was major. It's a) very disconcerting b) possibly dangerous to show help text for admin pages to anonymous and unprivileged users.
Comment #9
webchickGiven that this could potentially cause an information disclosure vulnerability, escalating to major. Nice find, nice fix, and nice tests. :)
Committed and pushed to 8.x. Thanks!