Voting starts in March for the Drupal Association Board election.
This is split off fromto keep the scope manageable, please read the IS of that issue too!
While discussingwe realised the configuration overrides do not provide cache contexts.
This does not currently manifest itself as a bug in core, but that is only because configuration overrides depend on the interface language, and interface language is a required cache context.
However as soon as you add domain module, organic groups or any other type of configuration override, then you have cache poisoning.
Then ConfigFactory.php can collect the cache contexts from the overrides and apply them to the config object. This is an API change for all config overrides.
If we decide that it's valid to have config overrides that don't require any cacheability metadata at all, then we could possibly add an instanceof check in ConfigFactory.php. That would remove the API change, but support for it would still be a contributed project blocker (and while interface language is a required cache context, IMO language config overrides should set a good example here).
Alex Pott also noticed that we have a bug with getCacheSuffix() - but I'll let him update the issue with that or open a spin-off (I think it was that the order, and hence cache key, could vary inconsistently).
While contributed project blockers are not usually critical, in this case the contrib module can port in every other aspect, but would have a security vulnerability until we fix this issue in core and it's updated to use it - and we have no way to stop people doing cache poisoning things in config overrides because really that's the entire point of them (arbitrarily changing config values based on whatever).
- Unpostpone .
User interface changes
Data model changes
Beta phase evaluation
|Issue priority||Critical because it allows cache poisoning through config overrides.|
|Prioritized changes||The main goals of this issue are to enhance security and performance.|
PASSED: [[SimpleTest]]: [PHP 5.5 MySQL] 98,868 pass(es). View
|#119||2524082-119.patch||46.65 KB||Gábor Hojtsy|
FAILED: [[SimpleTest]]: [PHP 5.5 MySQL] Unable to apply patch 2524082-119.patch. Unable to apply patch. See the log in the details link for more information. View
|#116||2524082-116.patch||41.93 KB||Gábor Hojtsy|
FAILED: [[SimpleTest]]: [PHP 5.5 MySQL] 98,605 pass(es), 1 fail(s), and 0 exception(s). View