It should not be possible to execute code placed in a .info file. However, since .info values are often displayed to the user it is possible to execute javascript.

There are situations where this is a little nasty. For example, it is possible to add javascript into a module's .info file that can automatically install the module when the user visits the /admin/build/modules page. A line of .info that could do this:

package = "Bad judgement<script type='text/javascript'>if($('#edit-status-mymodule').attr('checked')!=true){$('#edit-status-mymodule').attr('checked','checked');$('#edit-status-mymodule').parents('form').submit();}</script>"

I've attached a one-liner patch that will cause all .info values to be run through filter_xss(). Please note that this has already been reviewed by the security team and this patch is considered a non-critical hardening.

Edit by greggles: this does not need to be handled as a security bug. If someone can write malicious code to your .info files you are already screwed from a security perspective. This is just a hardening and can be handled publicly.

CommentFileSizeAuthor
#6 filter-xss-info-for-admins.patch366 byteshumansky
filter-xss-info.patch545 bytessime

Comments

sime’s picture

sime
any/any
Location Melbourne
commented
Status: Active » Needs review

and ready for review

sime’s picture

sime
any/any
Location Melbourne
commented

Please note greggles edit on the OP concerning security. (Someone unpublished this node and didn't leave a message in the log.)

Status: Needs review » Needs work

The last submitted patch, filter-xss-info.patch, failed testing.

pwolanin’s picture

pwolanin commented
Version: 6.x-dev » 8.x-dev
Category: task » bug
humansky’s picture

humansky commented
Status: Needs work » Needs review

filter-xss-info.patch queued for re-testing.

humansky’s picture

humansky commented
StatusFileSize
new filter-xss-info-for-admins.patch366 bytes
kscheirer’s picture

kscheirer
Primary language English
Location Vallejo
commented

#6: filter-xss-info-for-admins.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, filter-xss-info-for-admins.patch, failed testing.

mgifford’s picture

mgifford
he/him
Primary language English
commented
Assigned: sime » Unassigned
Issue summary: View changes

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

guypaddock’s picture

guypaddock commented

Bear in mind that Features is going to be the easiest way to exploit this vulnerability since it generates info files. Be sure only trusted site users can create new Features.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

guypaddock’s picture

guypaddock commented
Version: 8.6.x-dev » 8.7.x-dev

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone commented
Status: Needs work » Closed (duplicate)
Issue tags: +Bug Smash Initiative
Related issues: +#637538: Module and theme names are not filtered on output.

This looks like a duplicate of an earlier issue, #637538: Module and theme names are not filtered on output.. And notes that drupal_parse_info_format() was removed Mar 2013 in #1793074: Convert .info files to YAML.