Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By dani3lr0se on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
8.0.x
Introduced in version:
8.0.0-beta12
Description:
Problem/Motivation
Prior to 8.0.0-beta12 the "Translate user edited configuration" was considered a normal permission.
However as this permission allows one to translate shipped configuration strings which may overlap with interface text translation; there may be cases where translated configuration strings are reused as interface strings. This could lead to these configuration translations possibly being returned by t(), e.g. with translating default content type labels.
As the return value of t() is considered safe and not subject to input filtering, it could be possible for a user with the permission to translate user edited configuration strings to introduce and XSS exploit.
To reflect the sensitive nature of this permission, as of Drupal 8.0.0-beta12 it has been marked as restricted.
Important notice for owners of existing Drupal 8 sites
Those with an existing Drupal 8 site should review the permissions they have assigned to ensure only trusted users have the 'translate user edited configuration' permission'.
reported multiply in the Drupal 8 security bug bounty program
https://tracker.bugcrowd.com/submissions/672a7ac983d1d6e554114e2f287824a...
https://tracker.bugcrowd.com/submissions/4cab8e9ba13cfb3d4eec3348bd884b3...
Impacts:
Site builders, administrators, editors
