Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
See:
https://www.drupal.org/SA-CORE-2015-001
http://cgit.drupalcode.org/drupal/commit/?id=b44056d2f8e8c71d35c85ec5c2f...
This issue is only for the open redirect issue involving the "destination" URL parameter and other vectors.
Credit for the D6/D7 version of this patch (the security release):
klausi, David_Rothstein, hefox, tsphethean, dstol, DamienMcKenna, Pere Orga, benjy
Comment | File | Size | Author |
---|---|---|---|
#14 | open-redirect-sa-2455083.14.patch | 25.06 KB | larowlan |
#14 | interdiff.txt | 8.87 KB | larowlan |
#13 | interdiff.txt | 934 bytes | dawehner |
#13 | 2455083-13.patch | 24.6 KB | dawehner |
#10 | interdiff.txt | 6.04 KB | dawehner |
Comments
Comment #1
David_Rothstein CreditAttribution: David_Rothstein commentedComment #2
effulgentsia CreditAttribution: effulgentsia at Acquia commentedTagging "D8 upgrade path" as well so that we don't release a supported upgrade path beta that has publicly known security exploits.
Comment #3
larowlanassigning
Comment #4
larowlanLooks like we have partial fix for this already in RedirectResponseSubscriber.
And we have a unit test already in RedirectResponseSubscriberTest.
But it doesn't cover all the cases in the SA commit.
Fail patch.
Comment #5
larowlanenough for today
Comment #7
dawehnerWorking on it today.
Comment #8
dawehnerThere we go
Comment #10
dawehnerMeh.
Comment #12
webchickThis is a no-brainer to keep critical. Tagging.
Comment #13
dawehnerLet's fix it.
Comment #14
larowlanFixed some minor nits found on review, I think this is ready
Comment #15
alexpottCommitted d2304f8 and pushed to 8.0.x. Thanks!