Updated: Comment #0

Problem/Motivation

Part of SA-CORE-2013-003
The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

Proposed resolution

Forward port patch

Remaining tasks

Review

User interface changes

None

API changes

?

None

Original patch by Heine Deelstra of the Drupal Security Team

CommentFileSizeAuthor
overlay-redirect.1.patch1.23 KBlarowlan

Comments

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Issue summary: View changes
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Issue summary: View changes

Status: Needs review » Needs work

The last submitted patch, overlay-redirect.1.patch, failed testing.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Issue summary: View changes
scor’s picture

scor commented
Issue tags: -SA-CORE-2013-03 +Security Advisory follow-up, +SA-CORE-2013-003
amateescu’s picture

amateescu commented
Status: Needs work » Needs review

overlay-redirect.1.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, overlay-redirect.1.patch, failed testing.

The last submitted patch, overlay-redirect.1.patch, failed testing.

amateescu’s picture

amateescu commented
Status: Needs work » Needs review

overlay-redirect.1.patch queued for re-testing.

amateescu’s picture

amateescu commented
Priority: Major » Critical
Status: Needs review » Reviewed & tested by the community

SA followups are critical, marking as such. Also, this is ready to go.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Reviewed & tested by the community » Fixed

Committed and pushed to 8.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.