Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
per SA-CORE-2009-007
The forum module does not check the incoming tid:
It appears that the forum module allows malicious HTML. Example:
http://drupal.org/?q=forum/pipes%22%3E%3Ch1%3Emalicious%20html%3Ctable
D6 patch was:
Index: modules/forum/forum.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/forum/forum.pages.inc,v
retrieving revision 1.2
diff -u -p -r1.2 forum.pages.inc
--- modules/forum/forum.pages.inc 26 Jul 2007 06:48:03 -0000 1.2
+++ modules/forum/forum.pages.inc 16 May 2009 16:53:33 -0000
@@ -10,6 +10,11 @@
* Menu callback; prints a forum listing.
*/
function forum_page($tid = 0) {
+ if (!is_numeric($tid)) {
+ return MENU_NOT_FOUND;
+ }
+ $tid = (int)$tid;
+
$topics = '';
$forum_per_page = variable_get('forum_per_page', 25);
$sortby = variable_get('forum_order', 1);
Comment | File | Size | Author |
---|---|---|---|
#43 | 520736.patch | 6.85 KB | grendzy |
#41 | 520736.patch | 6.85 KB | grendzy |
#39 | 520736.patch | 6.88 KB | grendzy |
#35 | 520736.patch | 6.76 KB | grendzy |
#33 | 520736.patch | 6.72 KB | grendzy |
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #2
Anonymous (not verified) CreditAttribution: Anonymous commentedI always forget to change the status.
Comment #3
MichelleThere's another issue out there somewhere for making this not only check that it's numeric but also check that the number is actually a forum term so you don't get wierd results by passing TIDs from non forum terms. I don't know if that can be added here or has to be seperate from this security patch but thought I'd mention it as long as you're patching that bit. :)
Michelle
Comment #4
kjy07 CreditAttribution: kjy07 commentedAttached patch includes check to verify the provided term is valid.
Comment #6
alexanderpas CreditAttribution: alexanderpas commentedI think we should just commit the patch in #1, and put the other part in a follow-up, as in the current state, it severely changes behaviour of that function (in case of a 0).
Comment #7
kjy07 CreditAttribution: kjy07 commentedThe conditional statement in #4 won't allow zero values for $tid to pass. It will display the Forum overview or no Forums defined message (whichever is appropriate), rather than returning MENU_NOT_FOUND.
Comment #10
brianV CreditAttribution: brianV commentedAttached patch uses filter_var() to validate that $tid is an integer greater than or equal to 0. Furthermore, it checks to make sure it's a valid taxonomy term in the forum vocabulary.
Comment #11
brianV CreditAttribution: brianV commentedErr, now with whitespace fixes.
Comment #13
brianV CreditAttribution: brianV commentedComment #15
brianV CreditAttribution: brianV commentedComment #17
brianV CreditAttribution: brianV commentedFinal pass.
I removed the checks ensuring that the taxonomy term is valid and is a forum term as I decided to rethink where they should be implemented. I will be opening a separate issue for that.
This final patch accomplishes only what is needed to fix this issue - that is, the security issue.
Comment #18
webchickCould someone please take a look at this so we can ship alpha 1 with no known security holes? :)
Comment #19
Damien Tournoud CreditAttribution: Damien Tournoud commentedI suggest we fix that properly.
The real issue is that the forum module is using menu loaders improperly. Here is a minimal fix.
Comment #20
Damien Tournoud CreditAttribution: Damien Tournoud commentedBy the way, properly using menu loaders also fixes #221860: 404 pages and containers.
Comment #21
brianV CreditAttribution: brianV commentedLooks good to me, but I will wait for someone else to verify the fix as well since it's a security issue.
Are going to want to re-backport this fix to D6 after?
Comment #22
gregglesIt seems there is an incomplete docblock in the comments for forum_forum_load? It looks like you were going to define the keys in the array and then forgot.
I tried to confirm that this patch fixes the original security bug, but I can no longer directly reproduce that bug.
Steps to repeat:
1. Install core
2. Create a container
3. Create a forum inside that container
4. Post a node into that forum from step 3
5. Visit http://7d.local/forum/pipes%22%3E%3Ch1%3Emalicious%20html%3Ctable
Expected results:
The <1>malicious html<table would be injected into the page as html.
Actual results:
They aren't included as HTML, though I do get a "No forums defined" message which DamZ is right makes less sense than a 404.
After applying the patch and rebuilding the cache I get a 404 which feels more appropriate and is a performance improvement (since requests for invalid pages should do as little work as possible and 404 pages are relatively lightweight).
In summary: I think the security issue has been fixed already elsewhere, but the current patch in #19 is an improvement to core.
Needs work for the documentation.
Comment #23
sun.core CreditAttribution: sun.core commented#19: 520736-forum-menu-load-crazyness.patch queued for re-testing.
Comment #24
grendzy CreditAttribution: grendzy commentedpatch looks good, but I agree the docblock is incomplete. The return value now looks something like
tid (String)
vid (String)
name (String)
description (String)
format (String)
weight (String)
vocabulary_machine_name (String)
rdf_mapping (Array)
parents (Array)
forums (Array)
Powered by Dreditor.
Comment #25
gregglesOk, here is a re-roll with that included in the docblock and to fix some offsets.
Comment #26
grendzy CreditAttribution: grendzy commentedApplies cleanly. Confirmed this is the same fix as #19 plus the corrected docblock.
Comment #27
Dries CreditAttribution: Dries commentedThis looks good, although the code in forum_forum_load() could use some additional code comments. Care to try and add some?
Comment #28
aspilicious CreditAttribution: aspilicious commentedPutting to needs work, please add some comments so we can clean up the issue queue.
Comment #29
mr.baileysDowngrading to normal and removing tags.
Comment #30
mr.baileysWhoops, sorry, thought this was commited and set to needs work for comments only...
Comment #31
grendzy CreditAttribution: grendzy commentedRevised patch with code comments, and correct docblock. Functionally equivalent to #19.
Comment #33
grendzy CreditAttribution: grendzy commentedwhoops, forgot to remove the git prefix.
Comment #34
pwolanin CreditAttribution: pwolanin commentedcode style problem:
remove extra ; and usually we don't have assignment and return on the same line.
Comment #35
grendzy CreditAttribution: grendzy commentedgood catch.
Comment #36
dmitrig01 CreditAttribution: dmitrig01 commentedSpace between - and the key please. And add single quotes.
Unneeded
Space between '-' and the key please. And add single quotes.
Other than that, looks good.
Comment #37
dmitrig01 CreditAttribution: dmitrig01 commentedComment #38
pwolanin CreditAttribution: pwolanin commentedthis is a bit inconsistent:
versus:
Comment #39
grendzy CreditAttribution: grendzy commentedincorporating feedback from dmitrig01 and pwolanin.
Comment #41
grendzy CreditAttribution: grendzy commentedComment #42
catchThis should be !isset().
Otherwise looks good.
104 critical left. Go review some!
Comment #43
grendzy CreditAttribution: grendzy commentedchanged to !isset().
Comment #44
catchLooks great.
Comment #45
webchickThe amount of code being changed here makes me go "EEEEE!" and think we probably need tests for this. But I talked it over with catch. It would be odd to test just one menu router path's security and not all of them, and it would also be odd to test that a function which only accepts an int as valid input only accepts an int as valid input... and we're not likely to break this again.
So therefore, committed to HEAD. Thanks a lot for your work on this folks! Great to see the number of known security holes coming down.
Comment #47
andypostThis fix leads to unavailability to fix #148145: "Forums" title is not localized
Because user can only rename /forum menu item and not /forum/%