Port SQL Injection - Database API fixes from SA-CORE-2015-003 to Drupal 8 [#2554229]

See: https://www.drupal.org/SA-CORE-2015-003
http://cgit.drupalcode.org/drupal/commit/?h=7.x&id=731dfacab8bf39918c135...

A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.

This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. That module requires you to have a very high level of access in order to perform the attack.

Credit for the D6/D7 version of this patch (the security release):

csabot3, Crell, pwolanin, YesCT, ircmaxell, greggles

Comment	File	Size	Author
#6	2554229-6.patch	4.01 KB	stefan.r
#6	8.0.x: PHP 5.5 & MySQL 5.5 13,317 pass
#4	2554229-3.patch	2.48 KB	stefan.r
#4	8.0.x: PHP 5.5 & MySQL 5.5 13,296 pass, 5 fail
#2	2554229-1.patch	2.48 KB	stefan.r
#2	8.0.x: PHP 5.5 & MySQL 5.5 13,214 pass, 5 fail

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

19 August 2015 at 23:13

webchick created an issue. See original summary.

Comment #2

stefan.r CreditAttribution: stefan.r commented 19 August 2015 at 23:28

Status:

Active

» Needs review

File	Size
2554229-1.patch	2.48 KB
8.0.x: PHP 5.5 & MySQL 5.5 13,214 pass, 5 fail

Comment #3

19 August 2015 at 23:29

Status:

Needs review

» Needs work

The last submitted patch, 2: 2554229-1.patch, failed testing.

Comment #4

stefan.r CreditAttribution: stefan.r commented 19 August 2015 at 23:33

Status:

Needs work

» Needs review

File	Size
2554229-3.patch	2.48 KB
8.0.x: PHP 5.5 & MySQL 5.5 13,296 pass, 5 fail

Comment #5

19 August 2015 at 23:59

Status:

Needs review

» Needs work

The last submitted patch, 4: 2554229-3.patch, failed testing.

Comment #6

stefan.r CreditAttribution: stefan.r commented 20 August 2015 at 00:21

Status:

Needs work

» Needs review

File	Size
2554229-6.patch	4.01 KB
8.0.x: PHP 5.5 & MySQL 5.5 13,317 pass

Comment #7

larowlan

🇦🇺🏝.au GMT+10

CreditAttribution: larowlan as a volunteer commented 20 August 2015 at 06:47

Status:

Needs review

» Reviewed & tested by the community

Thanks!

Comment #8

effulgentsia CreditAttribution: effulgentsia at Acquia commented 20 August 2015 at 13:53

Patch looks great. Adding credit to larowlan for reviewing and webchick for reporting.

Comment #9

effulgentsia CreditAttribution: effulgentsia at Acquia commented 20 August 2015 at 13:59

Status:

Reviewed & tested by the community

» Fixed

Pushed to 8.0.x. Thanks!

Comment #10

20 August 2015 at 13:59

effulgentsia committed 02a6786 on 8.0.x

Issue #2554229 by stefan.r, csabot3, Crell, pwolanin, YesCT, ircmaxell,...

Comment #11

3 September 2015 at 14:04

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Port SQL Injection - Database API fixes from SA-CORE-2015-003 to Drupal 8

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community