Closed (fixed)
Project:
Security Review
Version:
2.0.x-dev
Component:
Code
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Reporter:
Created:
6 Oct 2015 at 11:11 UTC
Updated:
1 Feb 2023 at 01:34 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
banviktor commentedI'm aiming to provide a patch for this tomorrow.
Comment #3
banviktor commentedPatch added.
Comment #5
banviktor commentedLooks like configuration API's requirements in testing have changed in the meantime. Solving that might need a separate issue.
Comment #6
banviktor commentedThis leaves only the langcode problems in.
Comment #7
banviktor commentedThe said issue is still pretty active, so maybe we should wait with this.
Comment #10
banviktor commentedComment #11
smustgrave commentedSo what was this postponed for?
Comment #12
gregglesI think banviktor was saying that the core api was changing, but that's no longer true so it seems fine to make this back to needs review or needs work.
Comment #13
smustgrave commentedRerolled
Comment #14
smustgrave commentedbumping this one for the refractor of trusted hosts
Comment #15
gregglesI noticed this changes the token from @file to !file:
Is that an intentional and required change?
Comment #16
smustgrave commentedI couldn't explain why but !file: was causing an error and not being replaced.
Comment #17
smustgrave commentedOther then that though does this change still work for you also?
Comment #18
gregglesI think (?) that's a really important thing to figure out to be sure it's not a pathway for xss.
Comment #19
smustgrave commentedCan try to find some php doc but not sure where to look quickly, this is a current bug. It throws an error currently not replacing
Comment #20
ambient.impact@smustgrave What's the exact error? It could be that core is seeing it as a URL and thus a potential security issue when used as a replacement of the wrong type.
Comment #21
smustgrave commentedActually just checked in D10 and no longer seeing the issue will update the patch later.
Comment #22
smustgrave commentedOkay this should be good to go!
Comment #25
smustgrave commentedGoing ahead and merging to keep the ball rolling on the trusted host updates.