block some "import foo" boxes that use php arrays as a data structure

What else exists?

• auto_nodetitle
• backup_migrate
• bundle_copy
• computed_field
• context
• css_injector
• custom_breadcrumbs
• delta
• devel (natch)
• draggableviews
• feeds_ui
• flag
• js_injector
• jw_player
• openlayers
• relation_ui
• services
• views_bulk_operations
• Anything that implements ctools_export_ui_form can enter PHP

Note that many of these implement their own permissions and bypass the core PHP permission.

We will look into providing a patch for the specific form fields, but it will be a couple of weeks due to the holidays.

This patch hits a few of them. I can't change the issue status.

Some of the modules identified use generic forms that can't be blocked (e.g., node_type_form). But this should get a few more forms and one PHP permission.

VBO's "chainsaw mode" can be disabled with this in a hook_form_alter():

  if ($form_id == "views_ui_config_item_form") {
    unset ($form['options']['vbo_operations']['action::views_bulk_operations_script_action']);
  }

I can add that to the patch as well.

"Execute arbitrary PHP script", AKA, "chainsaw mode" :)

Go testbot...

Oh, huh. There's already code in paranoia.module that should be blocking the VBO chainsaw mode.

Oh, I see. In the current paranoia_form_views_ui_config_item_form_alter(), the conditional is too restrictive.

if ($form['#section'] == 'page-field-views_bulk_operations') doesn't evaluate to TRUE on every VBO (for example on admin_views_user). The approach that I took in the patch is a much bigger hammer.

Posting WIP so it doesn't get lost.

OK, I think this is ready for review.

The attached patch does the following:

1. Disallows the "Computed Field" module
2. Blocks the permission to use PHP in Custom Breadcrumbs
3. Changes the message "This form is disabled for security reasons..." to pull from a variable in the DB (so that it's configurable)
4. Blocks VBO's "chainsaw mode"
5. Removes the earlier attempt to block VBO's "chainsaw mode" via hook_form_FORM_ID_alter()
6. Blocks Automatic Nodetitles's "Evaluate PHP in pattern" setting.
7. Removes the PHP field from the Custom Breadcrumbs form (belt and suspenders)
8. Blocks the Backup and Migrate import form
9. Blocks the Bundle Copy import form
10. Blocks forms that implement ctools_export_ui_edit_item_wizard_form (e.g., Context, Delta, JS Injector, JW Player, OpenLayers, Services)
11. Blocks the Feeds UI import form
12. Blocks the Flag import form
13. Blocks the Page Manager import form
14. Blocks the Relation import form
15. Blocks the Rules import form
16. Blocks the Views import form

Hm. The modules listed in paranoia_paranoia_disable_modules() also need to be added in paranoia_paranoia_hide_modules(), otherwise a user can enable them.

OK let's try this.

I like the direction of this patch. I reviewed the list of modules suggested from #6 and see the few I couldn't confirm were executing PHP (such as openlayers) are not included in this patch.

Additionally I like the idea of disabling the field or form in a few places rather then just blacklisting the entire module from being enabled.

I've skimmed the patch but not had a chance to fully review or test.

Blocking ctools_export_ui_edit_item_wizard_form takes care of PHP entry in Context, Delta, JS Injector, JW Player, OpenLayers, Services (they all have Import forms).

This issue is conflated a bit with #2059963 but it does not hit everything listed in comment #12 in that issue.

@Cash, here is an install profile that contains all the modules. Run drush make Stanford-Drupal-Profile/make/group.make --force-complete to build it.

Here is a Behat Feature that verifies the changes proposed in this patch.

The new patch does everything stated in #22, plus it blocks the permission to "restore from backup" (Backup and Migrate).

The attached patch does the following:

1. Disallows the "Computed Field" module
2. Blocks the permission to use PHP in Custom Breadcrumbs
3. Changes the message "This form is disabled for security reasons..." to pull from a variable in the DB (so that it's configurable)
4. Blocks VBO's "chainsaw mode"
5. Removes the earlier attempt to block VBO's "chainsaw mode" via hook_form_FORM_ID_alter()
6. Blocks Automatic Nodetitles's "Evaluate PHP in pattern" setting.
7. Removes the PHP field from the Custom Breadcrumbs form (belt and suspenders)
8. Blocks the Backup and Migrate import form
9. Blocks the Bundle Copy import form
10. Blocks forms that implement ctools_export_ui_edit_item_wizard_form (e.g., Context, Delta, JS Injector, JW Player, OpenLayers, Services)
11. Blocks the Feeds UI import form
12. Blocks the Flag import form
13. Blocks the Page Manager import form
14. Blocks the Relation import form
15. Blocks the Rules import form
16. Blocks the Views import form
17. NEW: Blocks the Backup and Migrate restore permission
18. NEW: Blocks the Backup and Migrate restore form

Same as #29, plus blocking the use of PHP in Views Contextual Filters. (See https://www.drupal.org/docs/7/modules/views/views-howtos/php-contextual-...).

I'm also hiding my other patches.

Reroll.

Tested the functionalities mentioned in the patch and almost everything works except the bit with auto_nodetitle: I can still "Evaluate PHP in pattern." with user 1 because auto_nodetitle weight is set to 5 so Paranoia’s form_alter is overridden. It works fine with any other users (even admins), because auto_nodetitle sets #access based on the permission to use php which is hidden by paranoia but user 1 has all permissions by default. I'm not sure what the best fix would be here (just changing Paranoia's weight seem a bit hacky and dangerous?).

I'm also re-submitting the patch without the use of t with variable_get (see documentation here and here for more details).

@jmoreira, thanks! (I always get the usage of t() wrong in variable_get().

I think the question of setting Paranoia's weight is a decision for the module maintainers. I would argue in favor of it, as the entire premise of the module is to be "heavy-handed".

I have tested @jmoreira's patch with this suite of Behat tests. It's not a complete suite for the entire functionality of the Paranoia module, but it covers most of the functionality introduced in the patch.

Thanks @greggles!