Update to Drupal 7.27 for SA-CORE-2014-002

I agree. :-) First, we'll need to make patches for all the modules listed above and test that everything works fine with 7.27 and those patches. As always, help is welcome! ;-)

I've been digging in on this issue and I think far fewer modules are affected than I previously thought!

The actual vulnerability affects the form cache with forms that use '#ajax' => array('path' => '...') for anonymous users. If they use the standard 'path', then they're fine. And the API that has changed is for ajax_get_form().

• panels: Doesn't appear to use ajax_get_form() or the standard Drupla form cache. But the code is pretty complicated. It's the magic happening in ajax_*() methods in plugins/display_renders/panels_renderer_editor.class.php and panels_ipe/plugins/display_renderers/panels_renderer_ipe.class.php. Certainly neither of those should be used by anonymous users.
• views_ui: Rather than using ajax_get_form(), they use views_ui_ajax_get_form() which is designed to specifically NOT use the form cache.
• wysiwyg: Doesn't call ajax_get_form() itself - it just routes AJAX requests to plugins *_wysiwyg_dialog() callbacks. None of our bundled wysiwyg plugins have such callbacks!
• admin_menu: Doesn't manipulate or return form data in it's AJAX page callback. It appears to be returning a whole page from the page cache.

In fact, the only module that does call ajax_get_form() in the old way, is panopoly_magic, and it doesn't appear to return it's own commands, only reload the form special for ctools multistep forms.

So, I'll update panopoly_magic to call ajax_get_form() in the new way (for when we later read that code or update it), but it won't make any functional difference.

Committed!

We'll make the 1.3 release as soon as it is possible! :-) There's a number of bugs in the 7.x-1.x branch which I'm trying to fix right now. Not sure how long it will take. If you'd like to follow along, just watch the issue queue updates.

I'd personally recommend waiting for the 1.3 release which will happen soon. I'm working as fast as I can. :-) Like I said above, there are some bugs in the current 7.x-1.x git branch, so using it on production probably isn't a good idea. However, feel free to test it (with a clone or something) and see if it works for you!

In the end, I did several greps to get different information:

grep -nre 'delivery callback' .
grep -nre '#ajax' -A 5 .
grep -nre 'ajax_get_form' .

After that, I had to read through the code a bit to try and see if the issue applied. Since the API that changed was ajax_get_form(), you could probably get away with just doing the last one.

I hope that helps!