Problem/Motivation
This is a follow up to SA-CORE-2023-004
https://git.drupalcode.org/project/drupal/-/commit/b4aa82d4486465eac7a13...
This change removed sections of the phpinfo()
page which can contain sensitive info.
Whilst Drupal core should have a safe default for this (which it now does) it would be useful for sites to be able to configure phpinfo()
; it's often quite useful to see PHP superglobals for debugging, for example.
We should include an appropriate note of caution about this setting, and perhaps encourage people to consider making any changes temporary etc..
Steps to reproduce
Visit /admin/reports/status/php
as user with appropriate permissions.
Proposed resolution
Make the options passed to phpinfo()
configurable.
Release notes snippet
A new setting $settings['sa_core_2023_004_phpinfo_flags']
in default.settings.php has been added to configure the behaviour of admin/reports/status/php.
Comment | File | Size | Author |
---|---|---|---|
#9 | Screenshot from 2023-05-15 18-26-21.png | 97.66 KB | shashank5563 |
#3 | 3358514-3.patch | 3.95 KB | poker10 |
|
Comments
Comment #2
mcdruidComment #3
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedHere is the patch similar to the D7 one, which uses the static
Settings::get()
(instead of injecting the Settings to theSystemInfoController
). Let's check the testbot.Comment #4
smustgrave CreditAttribution: smustgrave at Mobomo commentedCan we add a simple change record for the new setting being proposed
Thanks!
Comment #5
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedThanks for the suggestion! Created a draft CR here: https://www.drupal.org/node/3360166. Text is similar to the one we are adding as docs in the
settings.php
.Comment #6
smustgrave CreditAttribution: smustgrave at Mobomo commentedThanks. Change looks good to me.
Comment #8
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedSeems like a testbot issue, moving back to RTBC.
Comment #9
shashank5563 CreditAttribution: shashank5563 at Melity commentedI have test on my and found everything is looks good. I am moving to RTBC+1
Comment #11
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedSeems like there are issues with 10.1.x core tests, see: https://www.drupal.org/pift-ci-job/2666817
Restoring status.
Comment #13
catchPatch looks fine but this needs a change record and release note mentioning the setting.php changes.
Comment #14
mcdruidI think we've got the draft CR linked already; we can add a release note snippet to the IS.
Comment #15
mcdruidAdded a release note snippet.
@catch, please let us know if this needs anything else. Thanks!
Comment #16
mcdruidComment #19
catchCommitted d08fdb0 and pushed to 11.x, cherry-picked to 10.1.x. Thanks!
Comment #20
catchComment #21
ressa CreditAttribution: ressa at Ardea commentedAdding link to https://www.drupal.org/sa-core-2023-004 in Issue Summary.
Comment #22
quietone CreditAttribution: quietone at PreviousNext commentedAdded branch/version to the CR and published it.