Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.The administration form uses check_plain() on default values for text fields, which is incorrect use.
The text in text fields does not need to be escaped because text fields don't render HTML that is typed within them, so there is no security risk from useing the exact value given by the user previously.
The problem with using check plain is that if you have characters that get escaped, like & being changed to &, then every time you save that form the value of that field is changed and potentially the name of your permission is changed, which means it will technically be a new permission and no roles will have access until you go and configure the permissions again.
This is not a security issue because it causes users to not have access to pages they should have access to instead of the other way around.
I have now noticed that there is also check_plain() used on the machine name of the permissions when in hook_permission().
This is also bad because it means that incorrect (escaped) machine names are being stored to the database.
For example, I have a permission called "news & events page" and in my database after a while for my permissions I have all these:
news & events page (Boolean) TRUE
news & events page (Boolean) TRUE
news & events page (Boolean) TRUE
Notice that none of them are the real value.
This shouldn't be escaped like this.
We will also need a database update to try to fix this when we change it to work without the escaping.
It will also need a notice to users to double check their permissions for all their custom perms.
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | config_perms-check_plain-2126775-4.patch | 6.2 KB | rooby |
Comments
Comment #1
rooby CreditAttribution: rooby commentedAdding code tag around some html entities and adding note about permission machine names being stored wrongly.
Comment #2
rooby CreditAttribution: rooby commentedAssigning to myself as I am working on this.
Comment #3
rooby CreditAttribution: rooby commentedHere is a patch that addresses this.
It removes the calls to check_plain() and includes a database update script to fix any existing config perms in the case that some had escaped characters.
If you have the ctools module enabled this patch also requires the patch at #2127635: Cached versions are not cleared appropriately when using ctools or the update script will fail if there are any exising config perms to fix.
Comment #4
rooby CreditAttribution: rooby commentedOops, forgot the patch.
Comment #5
mlncn CreditAttribution: mlncn commentedApplied in commit 6c9cce7 with credit to rooby but running update database results in this error repeatedly:
array_unshift() expects at least 2 parameters, 1 given config_perms.install:151which, i must admit, is a pretty good point to make.
Able to help clean this up before a release?
Comment #6
rooby CreditAttribution: rooby commentedOops, it should be array_shift() not array_unshift().
I can reroll shortly.
Comment #7
mlncn CreditAttribution: mlncn commentedNo need to reroll; thanks for everything— updated in 7.x-2.x-dev.