Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
We did not release test cases for SA-CORE-2014-006 to not reveal too much information for attackers on how to exploit the session hijacking vulnerability.
Now that more than one month has passed we can assume that most sites are updated and commit the test case.
This is only an issue for Drupal 7 since HTTPS mixed mode was removed from Drupal 8 core in #2342593: Remove mixed SSL support from core.
Comment | File | Size | Author |
---|---|---|---|
#6 | 2399657.patch | 2.11 KB | klausi |
#3 | 2399657.patch | 2.69 KB | klausi |
#1 | 2399657.patch | 2.1 KB | klausi |
Comments
Comment #1
klausiklausi opened a new pull request for this issue.
Comment #2
BerdirProbably needs a test-only patch that reverts the fix to make sure that it is failing when it should?
Comment #3
klausiklausi opened a new pull request for this issue.
Comment #4
klausiSo that is a separate pull request with a TESTONLY branch and should fail on the testbot.
Comment #6
klausiklausi pushed some commits to the pull request.
For an interdiff please see the list of recent commits.
Comment #7
klausiPerfect, testonly patch failing where we expected it.
Fixed a typo and improved comments.
Comment #8
klausiActually the test case has already received positive reviews when this was a private security issue, so pwolanin suggested that this can go directly to RTBC.
Comment #9
David_Rothstein CreditAttribution: David_Rothstein commentedCommitted to 7.x - thanks!
Fixed on commit: