It should not be possible to execute code placed in a .info file. However, since .info values are often displayed to the user it is possible to execute javascript.
There are situations where this is a little nasty. For example, it is possible to add javascript into a module's .info file that can automatically install the module when the user visits the /admin/build/modules
page. A line of .info that could do this:
package = "Bad judgement<script type='text/javascript'>if($('#edit-status-mymodule').attr('checked')!=true){$('#edit-status-mymodule').attr('checked','checked');$('#edit-status-mymodule').parents('form').submit();}</script>"
I've attached a one-liner patch that will cause all .info values to be run through filter_xss(). Please note that this has already been reviewed by the security team and this patch is considered a non-critical hardening.
Edit by greggles: this does not need to be handled as a security bug. If someone can write malicious code to your .info files you are already screwed from a security perspective. This is just a hardening and can be handled publicly.
Comment | File | Size | Author |
---|---|---|---|
#6 | filter-xss-info-for-admins.patch | 366 bytes | humansky |
filter-xss-info.patch | 545 bytes | sime | |
Comments
Comment #1
simeand ready for review
Comment #2
simePlease note greggles edit on the OP concerning security. (Someone unpublished this node and didn't leave a message in the log.)
Comment #4
pwolanin CreditAttribution: pwolanin commentedComment #5
humansky CreditAttribution: humansky commentedfilter-xss-info.patch queued for re-testing.
Comment #6
humansky CreditAttribution: humansky commentedComment #7
kscheirer#6: filter-xss-info-for-admins.patch queued for re-testing.
Comment #9
mgiffordComment #15
GuyPaddock CreditAttribution: GuyPaddock at RedBottle Design, LLC for Inveniem commentedBear in mind that Features is going to be the easiest way to exploit this vulnerability since it generates info files. Be sure only trusted site users can create new Features.
Comment #17
GuyPaddock CreditAttribution: GuyPaddock for Inveniem commentedComment #23
quietone CreditAttribution: quietone as a volunteer commentedThis looks like a duplicate of an earlier issue, #637538: Module and theme names are not filtered on output.. And notes that drupal_parse_info_format() was removed Mar 2013 in #1793074: Convert .info files to YAML.