I attach a patch.

Original patch by Francisco José Cruz Romanos, and Peter Wolanin of the Drupal Security Team.

CommentFileSizeAuthor
#12 1892530-12.patch905 bytesamateescu
#6 image-xss-1892530.4.patch499 byteslarowlan
#1 drupal-xss_description_image_field-1892530.patch1017 bytesgrisendo
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

grisendo’s picture

grisendo CreditAttribution: grisendo commented
FileSize
drupal-xss_description_image_field-1892530.patch1017 bytes
grisendo’s picture

grisendo CreditAttribution: grisendo commented
Status: Active » Needs review
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan commented
Issue summary: View changes
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan commented
Component: image system » field system
Issue tags: +SA-CORE-2013-03

Reroll after SA-CORE-2013-03

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan commented
Issue summary: View changes
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan commented
FileSize
image-xss-1892530.4.patch499 bytes
scor’s picture

scor CreditAttribution: scor commented
Issue tags: +Security Advisory follow-up
tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett commented
Issue tags: -SA-CORE-2013-03 +SA-CORE-2013-003

Status: Needs review » Needs work

The last submitted patch, 6: image-xss-1892530.4.patch, failed testing.

swentel’s picture

swentel CreditAttribution: swentel commented
Status: Needs work » Needs review

6: image-xss-1892530.4.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, 6: image-xss-1892530.4.patch, failed testing.

amateescu’s picture

amateescu CreditAttribution: amateescu commented
Status: Needs work » Needs review
FileSize
1892530-12.patch905 bytes

The original patch was correct, we only filter on output, not on regular API calls.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
CreditAttribution: klausi commented
Title: XSS in image file description » XSS in image file description (forward port of SA-CORE-2013-003)
Priority: Normal » Critical
Issue tags: +Security improvements

Security issues are critical.

Status: Needs review » Needs work

The last submitted patch, 12: 1892530-12.patch, failed testing.

The last submitted patch, 12: 1892530-12.patch, failed testing.

The last submitted patch, 12: 1892530-12.patch, failed testing.

amateescu’s picture

amateescu CreditAttribution: amateescu commented
Status: Needs work » Needs review

12: 1892530-12.patch queued for re-testing.

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett commented
Status: Needs review » Reviewed & tested by the community

Looks good to me.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Reviewed & tested by the community » Fixed

Committed and pushed to 8.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.