Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Filing this issue so that people interested in the module publicly can follow along.
Comment | File | Size | Author |
---|---|---|---|
#4 | p2rp-noanon.patch | 6.02 KB | poiu |
Comments
Comment #2
kporras07 CreditAttribution: kporras07 at Manatí commentedI'd love to work on this if some help is necessary.
Comment #3
gregglesThanks, kporras07! Matt and I are coordinating in chat on fixing things and getting the module resupported. If you could review the module for any additional security vulnerabilities that would be a great help. When it's brought back to supported we want to make sure there aren't any followup security issues.
If you do find a security issue, please report it to the private security team queue.
Comment #4
poiu CreditAttribution: poiu commentedHi,
As someone who isn't privy to the details of the vulnerability but needs this module (just to make UX better for people who already have an "administer users" permission) - would the attached patch make it "safe"?
It basically takes out all the anon-accessible paths from hook_menu and hook_menu_alter.
Comment #5
flaviovs CreditAttribution: flaviovs commentedI second that question. Does the patch address the issue in the SA?
Comment #6
gregglesThe fix in #4 is not sufficient. grasmash and I worked through some changes and the fix is now published at https://www.drupal.org/project/profile2_regpath/releases/7.x-1.13
I've updated the advisory at https://www.drupal.org/node/2824407 to mention this release.
Please update your sites with that release as soon as possible.
Comment #7
flaviovs CreditAttribution: flaviovs commentedThanks!
Comment #8
mlecha CreditAttribution: mlecha commentedThank you!
Comment #9
oskylark CreditAttribution: oskylark commentedThe version for this issue is 7.x-2.x-dev yet only version 7.x-1.x has been updated and version 7.x-2.0-beta3 is no longer supported. Is there a 7.x-2.x-dev release that has had the fix applied and if so where is it available?
Thanks
Comment #10
grasmash CreditAttribution: grasmash commentedI've fixed the security vulnerabilities on the 7.x-2.x branch and also created a 7.x-2.0-beta4 release containing the fixes. The security team must review the new security release before it is made publicly available.
Comment #11
gregglesThanks, grasmash - 7.x-2.0-beta4 was published yesterday.