Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
A security review is appropriate prior to bumping to 7.x-1.0 and falling under the security advisory policy.
Proposed resolution
One or more security-focused reviews by someone other than the author.
Remaining tasks
N/A
User interface changes
N/A
API changes
N/A
Data model changes
N/A
| Comment | File | Size | Author |
|---|---|---|---|
| #6 | security_review_for-2849322-6.patch | 3.27 KB | bighappyface |
Comments
Comment #2
WidgetsBurritos commentedhttp://cgit.drupalcode.org/resource_hints/tree/resource_hints.module?id=...
Should we make sure
$valuedoesn't have an unsanitized '>' here, and anywhere else used like this?In its current implementation, it's probably not a security issue, but it may protect against weird stuff happening in alter hooks if you decide to support that in the future.
Comment #3
WidgetsBurritos commentedJust tested it, and at the very least, I managed to botch my headers pretty good:
Link:<//www.google.com>;x;y;z;>; rel="dns-prefetch", <//www.google.com>;x;y;z;>; rel="preconnect", <//www.google.com>;x;y;z;>; rel="prefetch", <//www.google.com>;x;y;z;>; rel="prerender"Comment #4
bighappyface commentedPerhaps just running all line items through
valid_urlto validate the input?https://api.drupal.org/api/drupal/includes%21common.inc/function/valid_u...
It looks like it will work for our needs.
Comment #5
WidgetsBurritos commented+1
Comment #6
bighappyface commentedComment #7
WidgetsBurritos commentedComment #8
WidgetsBurritos commented+1
Comment #10
bighappyface commentedComment #11
bighappyface commented