Remove "Execute arbitrary PHP script" action [#2596123]

Executing arbitrary PHP has no place in a UI, any custom code should be version controlled and not user input. A separate contrib module could be provided as legacy support.

Comment	File	Size	Author
#3	vbo-arbitrary-behavior-2590735-3.patch	1.04 KB	gifad
#2	2596123.diff	3.64 KB	drumm

Comments

Comment #1

19 October 2015 at 03:23

drumm created an issue. See original summary.

Comment #2

drumm

he/him

NY, US

commented 19 October 2015 at 03:26

Status:

Active

» Needs review

Status	File	Size
new	2596123.diff	3.64 KB

Comment #3

gifad commented 19 October 2015 at 10:58

Status	File	Size
new	vbo-arbitrary-behavior-2590735-3.patch	1.04 KB

I agree that, like any feature involving php code, explicit permission should be granted.
This is actually done by the Actions permission module.
Patch at Unexpected behaviour of "Execute arbitrary PHP script" action makes script action dependant on actions permissions enabled.

Comment #4

bojanz commented 19 October 2015 at 10:59

This is a dangerous action we inherited from the D6 version, but I'm afraid that removing it this late in the release cycle would cause a riot.

Remove "Execute arbitrary PHP script" action

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Related issues

Referenced by

News items

Our community

Documentation

Drupal code base

Governance of community