Check every Drupal 7 contrib SA that may affect Drupal 8 core modules

Creating a list of contrib SA's since the first commit to D8 (Saturday March 19, 2011)

Hey @nickwaring89, any progress? I'd like to help out. If you have the list we can divide it up for checking each SA, or I can help with creating the list.

Have started a spreadsheet listing all of the SA Contrib's and am filling it in before checking, Doc available here:
https://docs.google.com/spreadsheets/d/1kULeE6-Kpd181d4-1eBOi1mInbV-nbfS...

Looking at issues from March 19th 2011 onwards

Including link to spreadsheet of SA, I'm not sure which ones are in D8 core so anyone is welcome to look at the list and mark it.

I started updating the items in red with links to the SA and where possible a link to the commit that fixed the issue.

Added https://www.drupal.org/node/2428863 for RESTWS - needs a look too

We'll definitely need an issue for the basic auth security problem I think.

OK, we worked on this today during Critical Office Hours, so tagging accordingly.

We re-jiggered the spreadsheet slightly. Before, the spreadsheet was showing ALL contrib SAs (which is good; we need to look at them all to pick out the ones that affect D8), but only a small subset of those actually need to be worked on. So split it into two tabs: One showing just the D8 ones that have been identified, and the other with the full index: https://docs.google.com/a/acquia.com/spreadsheets/d/1kULeE6-Kpd181d4-1eB... Thanks to mrjmd who did the grunt work there!

I also added a "Resources" tab since questions that came up included "What modules HAVE been included in D8?" and "Where is the list of SAs?" etc.

So hopefully this organizes things a bit better for the next person to attempt to do this.

Also, mpdonadio raised the terrifying thought of modules that have been moved into core but never had stable releases so wouldn't have SAs. I thought about doing a query against all release nodes with the "Security fixes" bit set on them, but didn't get a chance to do that yet.

It's not quite clear to me how to check off those SA's that don't apply to core, for example because it is code that was never moved into core or the code is so different that no fix is needed. Should we re-purpose "In D8 Core" to "Applies to D8" or so, and mark those that don't as No? And possibly remove the red color from anything that is done/not needed?

@berdir my suggestion would be, if we have confirmed that it does not affect D8 core, we should just delete the row entirely from the ["Core-ish" Contrib SAs] tab, but leave it on the other tab with notes.

I moved everything that might be in core there just so nothing was overlooked, but the tab should really focus just on those D7 contrib SA's that we know affect D8 core.

Opened #2443571: Port SA-CONTRIB-2015-052 for the basic auth (aka restws) issue.

Removed some from this tab, as suggested.

Removed some more issues related to Services/Email Field/ctools, where the relevant code was not added to core.

Linked to some fixed issues, mostly about restws, where @klausi did a good job of opening core issues when the contrib issues were fixed.

Un-assigning myself from this issue. My lack of a development background is preventing me from helping at this stage.

Might be worth someone else taking the lead on this.

Cheers,
Nick

All the Display Suite issues are related to code not available in D8. They can be removed :)

Thanks, removed those, also removed others, down to 20 that need to be checked.

Oops: #2446995: Block content titles are not escaped on new block form (Port SA-CONTRIB-2013-082)

Good thing is, we're down to 4 unknown/unclear SA's, so we can close this soon.

And then there were two - opened #2447063: Add test coverage for CONTRIB-2014-015 for adding test coverage for the filefield one.

I think we're done here, @benjy and I have gone through the remaining ones.
The restws cache poisoning one is already covered in #2364011: [meta] External caches mix up response formats on URLs where content negotiation is in use

Thanks to everyone who helped with this!