Security hardening: reject Firebase credential files inside webroot [#3593727]

Problem/Motivation

Found in codex audit:

- Medium: the credentials path validator does not actually enforce “outside
the webroot.” It only rejects strings starting with public:// at
anata/web/modules/orig/firebase_php/src/Form/FirebasePhpConfigurationForm.p
hp:136. Absolute or relative paths inside DRUPAL_ROOT, including public
files paths, can pass if readable. Canonicalize with realpath() and reject
anything under the webroot/public files directory, including symlink
targets.

Issue fork firebase_php-3593727

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

security_firebase_credentials changes, plain diff MR !57
Check out this branch for the first time

Check out existing branch, if you already have it locally

About issue forks

Comments

Comment #1

4 June 2026 at 13:50

ptmkenny created an issue. See original summary.

Comment #2

4 June 2026 at 13:53

ptmkenny opened merge request !57

Comment #3

4 June 2026 at 14:38

ptmkenny committed 24978995 on 8.0.x

fix: #3593727 Security hardening: reject Firebase credential files...

Comment #4

ptmkenny commented 4 June 2026 at 14:40

Status:

Active

» Fixed

Comment #5

4 June 2026 at 14:40

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Security hardening: reject Firebase credential files inside webroot

Problem/Motivation

Issue fork firebase_php-3593727

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

News items

Our community

Documentation

Drupal code base

Governance of community