The module reports, "Untrusted users are not allowed to input dangerous HTML tags." even when the default input format is set to Full HTML.

CommentFileSizeAuthor
#6 925832_default_filter_no_role.patch1.35 KBgreggles

Comments

coltrane’s picture

coltrane
he/him
commented

What have you set your untrusted roles to at Administer › Reports › Security review? If you don't have anonymous users marked as untrusted then the check will pass.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Status: Active » Postponed (maintainer needs more info)
matason’s picture

matason commented
Status: Postponed (maintainer needs more info) » Needs review

Apologies for the initial bug report, here's a more detailed report:

Fresh install of Drupal 6.19
Logged in as user/1
Change the default input format to Full HTML
Download and install Security Review 6.x-1.0
Ensure anonymous user is marked as untrusted - (both anonymous and authenticated are checked by default)
Run checklist - everything passes

Expected - it possibly should flag up the potential dangers of the current input format configuration

It could be argued that without any additional permissions set this site is still secure(?), so...

Give anonymous users permission to view and add comments
Run checklist - everything passes

Expected - it should flag up the security vulnerability anonymous users can now exploit

I am happy to work on a patch if you feel that this behaviour is desirable.

coltrane’s picture

coltrane
he/him
commented

Thanks for the detailed report matason, I'll need to test from a fresh install cause I have yet to duplicate this bug on my Drupal 6 dev install. Security Review is *not suppose* to allow that to pass, it's checking for what you described (anonymous untrusted and Full HTML to default) so it's odd that it's failing.

coltrane’s picture

coltrane
he/him
commented
Status: Needs review » Active

(Setting back to active since there's no patch yet)

You're welcome to take a look at the code and see if you can spot any problem in this check.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Status: Active » Needs review
StatusFileSize
new 925832_default_filter_no_role.patch1.35 KB

I think I've figured this out.

Security Review is looking for the roles that can use the input format. If you complete the steps exactly as matason described that will be the case. However, as soon as you click "configure" in the full html input format and then click save on the configuration screen (without changing anything) then security report will recognize it as a problem.

So, I now check to see if the filter is the default filter and if it is then say all roles can use it.

matason’s picture

matason commented
Status: Needs review » Reviewed & tested by the community

Thanks @greggles, you beat me to it, the patch works.

I repeated the steps in #3 with it applied, the report now indicates that "Untrusted users are allowed to input dangerous HTML tags"

Good work!

coltrane’s picture

coltrane
he/him
commented
Status: Reviewed & tested by the community » Fixed

Nice, thanks greggles and matason. What a confusing bug. The workflow bug should be fixed in core.

I committed #6 with a modification to the help message. http://drupal.org/cvs?commit=441960

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.