The session-hijacking fixes from https://www.drupal.org/SA-CORE-2014-006 look like they would be relevant to Drupal 8 too and need to be ported there.
See the session.inc changes from http://cgit.drupalcode.org/drupal/commit/?id=81586d9e9d04dcee487c50de426...
Patch credit (for the D6/D7 fix): klausi, David_Rothstein, pwolanin
Note that there are some very nice functional tests (written by klausi) but we didn't release them as part of the security fix because they represent too much of a roadmap that shows an attacker how to exploit this. The idea was to hold on to them for a little while and then make them public and commit them later on (once people have had plenty of time to update).
In the meantime, the patch could go into Drupal 8 without tests, or maybe with some lower-level tests that check the very basic fact of how the session-reading function behaves when it encounters an empty session ID.
Comment | File | Size | Author |
---|---|---|---|
#4 | 2378699.patch | 721 bytes | klausi |
Comments
Comment #1
David_Rothstein CreditAttribution: David_Rothstein commentedAdding link to the related issue for the other half of the security advisory.
Comment #2
alexpottPostponing due to #2342593: Remove mixed SSL support from core. If we decide not to do that we can re-open.
Comment #3
klausiSince we decided to fix this in Drupal 6 also which has no mixed HTTPS mode support in core we should also do so for D8. Empty session IDs are never acceptable, so this is a legit flaw in the code base which should be fixed regardless of the outcome of #2342593: Remove mixed SSL support from core.
Comment #4
klausiklausi opened a new pull request for this issue.
Comment #5
klausiPatch is green and we don't want to post a test for this right now. RTBC anyone?
I will publish the test cases I developed after December 19th when upgrading to Drupal 7.34 is done on most sites.
Comment #6
David_Rothstein CreditAttribution: David_Rothstein commentedYup, this is good to go. Equivalent patch to Drupal 7, and looking at the surrounding code I don't see any reason it should be different in Drupal 8.
Comment #7
xjmComment #8
alexpottThis issue addresses a critical bug and is allowed per https://www.drupal.org/core/beta-changes. Committed 040dc5f and pushed to 8.0.x. Thanks!
Comment #11
klausiD7 test cases will be added in #2399657: Add session hijacking test cases for SA-CORE-2014-006.