Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
Potentially malicious actors have been accessing my Drupal website, making requests for /webform/javascript/[form_name]. In diagnosing this issue and looking for a solution, it came to my attention that any webform on a Drupal website, whether or not it has any custom CSS or JS attached, creates routes /webform/javascript/[form_name] and /webform/css/[form_name] that return 200.
Proposed resolution
in WebformEntityController.php, the methods for javascript and css should do some sort of check to see if any CSS or JS has actually been added for the webform. If no code is available, the route in question should return 404 instead of 200.
Issue fork webform-3277936
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
aaronpinero CreditAttribution: aaronpinero as a volunteer commentedAlternative solution: make this optional, like site-wide dialog support. In my case, I (now) have no forms to which custom CSS or JS has been added. In this case, I'd want to shut off this option so that the /webform/javascript and /webform/css routes are closed.
Comment #3
cilefen CreditAttribution: cilefen commentedComment #5
jrockowitz CreditAttribution: jrockowitz as a volunteer and at Webform module Open Collective, The Big Blue House commentedGood catch!!!
Please review the MR.
Comment #8
jrockowitz CreditAttribution: jrockowitz as a volunteer and at Webform module Open Collective, The Big Blue House commented