Closed (fixed)
Project:
Drupal core
Version:
8.0.x-dev
Component:
aggregator.module
Priority:
Major
Category:
Bug report
Assigned:
Issue tags:
Reporter:
Created:
18 Mar 2015 at 21:48 UTC
Updated:
4 May 2015 at 15:04 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
jhodgdonAs a note, we probably cannot replace these until we have a Field UI formatter that does XSS filtering.
Comment #2
jhodgdonElevating to critical, as per parent issue.
Comment #3
jhodgdonApparently we should just be able to use 'field'. See comments on #2455153: Switch revision log views fields to use 'field' formatter.
Comment #4
xjmComment #5
dawehnerIts a bit odd, ideally we should be able to just drop that file and all its uses, but for some reason aggregator has its own specialized xss filter.
Does anyone know why?
Comment #6
ParisLiakos commentedthis function is ancient and will be there forever unless this issue is fixed
Comment #7
dawehnerThanks a ton @ParisLiakos for your feedback!
Comment #8
berdirYeah that thing is weird. Would have been nice to get rid of it, but not sure we should still try.
We're talking about field access and translatability of feed and feed items. At least by default in core, those two entity types are not translatable and have no data table. And field access on feed/item titles? I challenge you do provide a use case where that would make sense ;)
Should this *really* be a critical release blocker? I'm worried that we use this meta issue to push through all kinds of changes that would otherwise no longer be possible, resulting in more API and database/config changes. 8.0.0 will not be perfect, we have to accept that or it will never happen.
Comment #9
jhodgdonIf Aggregator has no entity access, then we can ignore it. But I assert that it does. I am not saying it's *useful* but if it uses the entity access system then I don't think Views should be bypassing it?
Comment #10
dawehnerWell that is the problem, everyone can theoretically swap out the implementation and boom we have a security problem, unless views uses the proper mechanisms,
so I think we have to do it.
Comment #11
berdirWell, entity field access is technically possible, my points are...
a) it's the entity label (Drupal's UI's usually fall apart completely if you can't see node titles, taxonomy terms or feed titles but have access to the entity)
b) it's feeds and feed items, I see no practical use of field level access, it's for 99% of the cases aggregation of content that is publicly availalbe elsewhere.
c) The default UI for aggregator.module is still custom code and not provided by views. And that custom code doesn't care about entity field access in any way. So why would supporting it in the views integration be a critical release-blocker?
I'm not against fixing it. And I've been trying to fix #2149845: Convert the description field of the 'aggregator_item' entity to a text field a long, long time ago. But it didn't happen, and IMHO, we have to live with that now. This is similar to the user signature case, it's custom data/formatter handling, we would have to change storage to support this, which be one more thing that breaks existing D8 sites (I do have those, although I'm not using aggregator). Which is fine if it's worth it, my point is that IMHO, in this case, it is not.
Comment #12
jhodgdonExactly, that is why we have this issue.
Comment #13
berdirI guess we could convert the custom views field plugins to custom field formatters, that just apply to those specific entity types/fields, but not sure what we gain with that exactly.
Anyway, what I care about is getting D8 out asap, and with as few API changes as possible (and as many as required). That said, I'm not actually using aggregator.module at the moment, so I don't care too much about this specific issue. I tried to make my point, won't continue to argue.
Comment #14
dawehnerThat is a strong point.
Also neither aggregator feed nor aggregator item is translatable, so the other part of the meta doesn't apply here.
I think for this particular field we can indeed move the issue to be "just" major. Does someone strongly disagree?
Comment #15
xjmSo to this point:
I've used Feeds in Drupal 6 to import data from a feed on a restricted local network onto a site, which then displayed some of the content on a publicly-accessible intranet, but with restricted access on some fields. If I built a view of that content and my access rules were ignored when they were followed everywhere else, wouldn't that be an information disclosure that merited a private security issue? Obviously my particular scenario wouldn't happen since those were configurable fields, but isn't something similar possible?
It's obviously not critical the way that (say) the user email field was, but at the least, I think we need a big caveat in the Views UI when you add those fields. I'd like a second opinion from a sec team member, but I think if we had that, we could indeed downgrade this or even wontfix it if so desired.
Comment #16
dawehnerWell, won't fix is certainly the wrong thing, given that it adds value to convert the beside of "just" security.
Comment #17
xjm@dawehner clarified in IRC that the edgecase disclosures I describe in #15 would also happen in HEAD with aggregator itself currently, which didn't quite click before. So agreed with this being major.
Comment #18
k4v commentedComment #19
k4v commentedComment #20
yannickooComment #21
axe312 commented- just wanted to remove the hashtag from the issue tag ... yannickoo was faster -
Comment #22
jhodgdonHuh. I thought we had decided that the generic Field formatter would do enough XSS filtering, so we didn't really need to do anything special like making an Aggregator formatter here? See comment #3 above, which is when the Proposed Resolution was changed to say that we should just use Field.
So I think the plan here is to (a) just use Field, no extra formatter and (b) remove the XSS Views field handler from Aggregator[this patch does that] and then I think we can also (c) remove the aggregator_filter_xss() function that the XSS field handler called (assuming it is not used elsewhere in Core). May need a change notice for that? Or we can leave it around as cruft. ;)
Comment #23
jhodgdonOK, I talked to @dawehner at DDD and we decided yes we should have a formatter. So I took a look at this patch.
As a note, the aggregator filter function that is called, in turn calls Xss::filter(), which sets the Safe Markup thingy, so we're good. It uses a setting that admins can do to filter out certain tags. This is probably what we want for Aggregator, because this is external text coming from a feed.
@dawehner agrees (he is standing behind me). Let's ship it!
Comment #24
berdirYeah, without #2149845: Convert the description field of the 'aggregator_item' entity to a text field (which would have added a text format in aggregator.module that it would be using), we can't use the default formatters and need a custom one.
Comment #25
alexpottIs there any test coverage of this?
Comment #26
jhodgdonIt appears to me that \Drupal\aggregator\Tests\Views\IntegrationTest should test several of the fields that use this.
However, it is very suspicious that this test uses a test view:
core/modules/aggregator/tests/modules/aggregator_test_views/test_views/views.view.test_aggregator_items.yml
This view is not updated in this patch, and yet the test does not fail. It is definitely referencing a plugin that is removed in this patch. ???!?
Comment #27
k4v commentedI'm not sure, why the test did not fail. I now removed all references to aggregator_xss also from the config.
Test coverage is okay I think, the fields are rendered as before.
Comment #28
k4v commentedoops
Comment #29
k4v commentedComment #30
jhodgdonI verified in the test bot output that IntegrationTest is running (38 passes). It definitely tests the XSS functionality for the fields that have been changed. I do not think we need new tests added.
I think the reason we didn't have a fail before, even without the views config changes, is that technically, Views doesn't actually use the plugin_id that is defined in the views config -- it always uses the plugin ID that is defined in the hook_views_data or EntityViewsData. Since there were no schema changes for the plugin change (neither the old or the new one has options on the formatter), there was no complaint about the change.
Anyway, this still looks RTBC.
Comment #31
alexpottThis issue addresses a major bug and is allowed per https://www.drupal.org/core/beta-changes. Committed 5f987ee and pushed to 8.0.x. Thanks!