CVS edit link for jimbullington

I would like to become the maintainer of the webform report module - http://drupal.org/project/webform_report. The module has been discontinued because of a security issue (http://drupal.org/node/540980). I have developed a patch for the issue (posted at http://drupal.org/node/550636), but the current maintainer appears to be out of touch. I would like to incorporate this module into my site, so I would like to see the module fixed and able to move forward.

Comments

jimbullington’s picture

Status: Postponed (maintainer needs more info) » Needs review
StatusFileSize
new25.16 KB

I have created a patch for the 5.x-2.2 version (Not on the list for some reason - http://ftp.drupal.org/files/projects/webform_report-5.x-2.2.tar.gz ) of the webform report module that (hopefully) corrects the XSS issues.

  1. All db_query requests have been parameterized
  2. All $_POST usage has been removed - hook_load and hook_form have been reworked to use more generally accepted Drupal coding standards
  3. Secure text handling from this article has been incorporated.
  4. Some other minor fixes and refactoring
avpaderno’s picture

This CVS application requires then that somebody of the security team chimes in to report if the original security issue has been resolved from the module you propose.

jimbullington’s picture

grendzy is reviewing the patches at http://drupal.org/node/550636. Let me know if I need to do anything else.

grendzy’s picture

subscribe (I'll try to do another review soon).

avpaderno’s picture

Status: Needs review » Postponed

I am changing the status, waiting for grendzy (or somebody else from the security team) to report if the reported patch resolve the security issue reported for the original module.

@jimbullington: Thank you for applying for a CVS account, and contributing to Drupal.

grendzy’s picture

Status: Fixed » Reviewed & tested by the community

Patch #24 in #550636: Fix security vulnerabilities in webform report addresses all of the issues I could find.

avpaderno’s picture

Status: Postponed » Fixed

Thank you, grendzy for having verified the patch.

avpaderno’s picture

I granted jimbullington access to the project CVS. To become the current maintainer, another report should be open.

jimbullington’s picture

Status: Reviewed & tested by the community » Fixed

Thanks kiamlaluno. Do I need to open another report under CVS applications or under webform report?

avpaderno’s picture

Do I need to open another report under CVS applications or under webform report?

The offer to become project maintainer should be placed in the project queue, to allow the current maintainers to see it.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

avpaderno’s picture

Component: Miscellaneous » co-maintainer application
Assigned: Unassigned » avpaderno
Issue summary: View changes