From the initial security report by cboyden "The integration module does not verify the moderation state that a node is in before publishing it. This could allow a less-privileged user to bypass Workbench Moderation restrictions on who can move nodes through the moderation process. For example, if a Contributor role is not allowed to move content from Needs Review to Approved, but is allowed to schedule publication, content will be automatically published on the date the Contributor chooses even if the content has not been transitioned to the Approved state by a more-privileged user."
In short, users that did not have permissions in Workbench Moderation to move a revision to published could use Scheduler Workbench Integration to schedule a publish and bypass the permissions for Workbench transition states.
The fix implements hook_scheduler_allow_publishing() with a check on the current revision's owner to see if they have the correct permission to move to the published state.
Comments
Comment #4
andrew m riley commentedSee https://www.drupal.org/node/2869141 for more info.
Comment #5
andrew m riley commentedThanks to cboyden for reporting the issue and pfrenssen, Eric_A, grashmash, haphan, angel.h and cboyden this is fixed. Please download version 7.x-1.3 (or later) to get this fix or apply a patch directly from http://cgit.drupalcode.org/scheduler_workbench/commit/?id=f648cbd
Comment #6
andrew m riley commentedComment #7
andrew m riley commentedComment #12
andrew m riley commentedComment #13
nvakenJust to be absolutely sure: So, we can disregard the "Uninstall this module" advisory and simply install >= 7.x-1.3 to patch SA-CONTRIB-2017-39?
Comment #14
andrew m riley commentedAmbidex, 7.x-1.3 fixes the reason the "Uninstall this module" went out. In short there was a security vulnerability reported and there were no registered maintainers on this project so nobody could fix it. Following their standard operating procedures the security team sent out the email to uninstall this module since nobody was fixing it.
Once that email went out that all changed. A bunch of people volunteered to fix the issue and the security team gave me commit access to apply the fix and get the module back in good standing. The security team reviewed the patch, I tested it and then the security team gave the fix the OK once I tagged 7.x-1.3 last night. I'm not sure if they'll amend https://www.drupal.org/node/2869141 or not.
Sorry this is long winded but I felt it was info the community will probably want. I'll be continuing on to maintain this module and will be adding other maintainers once the dust settles from this security release.
For core or any module if you do happen to find a security vulnerability please follow the directions at https://www.drupal.org/security-team/report-issue
tl;dr: If you install 7.x-1.3 you don't need to uninstall the module. If you are running 7.x-1.2 or earlier please uninstall it or upgrade immediately.
Comment #15
jonathan1055 commentedThanks Andrew for stepping in to fix this (and become a maintainer).
I think that Scheduler Workbench Integration - Critical - Unsupported - SA-CONTRIB-2017-39 should be updated, as the message "If you use the Scheduler Workbench Integration module for Drupal you should uninstall it." is wrong now. Who can we ask to do that? We don't want a whole bunch of users discarding this module when the security problem is now fixed.
Comment #16
cboyden commentedIt might be best to flag this release as a security release, and then issue a new SA next Wednesday. That will prompt module users that there is a security update available. The SA can reference the previous SA and state that the module is now supported and fixed.
Comment #17
mlhess commentedComment #19
mlhess commented