@bmunslow, thanks for a good idea! We used it for our work
BUT note, your sandbox has a critical security vulnerability:
rebuild_ajax_forms_rebuild_form() call arbitrary function with arbitrary parameters
For example post in 'form_data'

'callback' => 'call_user_func_array',
'form_id' => 'user_role_change_permissions',
'args' => array(
  0,
  array(
    'any permission' => 'now available for anonimous'
  ),
),
CommentFileSizeAuthor
#4 critical-security-vulnerability-2908604-4.patch3.73 KBbmunslow

Comments

rimen created an issue. See original summary.

bmunslow’s picture

bmunslow commented

Hi @rimen,

Thank you for reporting this issue.

It is critical indeed and I'm researching what the best way to handle the issue would be... since the module fundamentally relies on that POST request and it's impossible to foresee which callbacks users will need to invoke.

Any ideas on how to proceed will be appreciated as well.

bmunslow’s picture

bmunslow commented
Issue tags: +Security
bmunslow’s picture

bmunslow commented
Assigned: Unassigned » bmunslow
Status: Active » Needs review
StatusFileSize
new critical-security-vulnerability-2908604-4.patch3.73 KB

Please find patch attached that fixes this issue.

The patch basically makes it a requirement to implement a new hook in order to rebuild the forms:

hook_rebuild_ajax_forms_callback_alter

This way, only registered callbacks in installed modules will be allowed to be executed.

It would be of great assitance if someone could review it and confirm there are no further issues with it.

  • bmunslow committed 0c76776 on 7.x-1.x 
    Issue #2908604 by bmunslow: Critical security vulnerability
bmunslow’s picture

bmunslow commented
Status: Needs review » Fixed

Patch tested in production environment and looks good to me. Setting this to fixed. Thanks @rimen for reporting.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.