Problem/Motivation

Identified in an audit by codex 5.5:

- Medium: raw service-account JSON can still be accepted from persisted
config if the form is bypassed. web/modules/orig/firebase_php/src/
Service/FirebasePhpMessagingService.php:63 accepts any config value that
decodes to an array. That enables config import/API paths to store private
keys in Drupal config despite the form warning. Prefer an explicit
environment variable/service parameter for raw JSON and keep config limited
to file paths.

Issue fork firebase_php-3593737

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

ptmkenny created an issue. See original summary.

ptmkenny opened merge request !59

  • ptmkenny committed b6e139bc on 8.0.x 
    fix: #3593737 Security hardening: Do not allow JSON credentials to be...
ptmkenny’s picture

ptmkenny commented
Status: Active » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

ptmkenny’s picture

ptmkenny commented
Issue summary: View changes