Common code mistakes that open vulnerabilities

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
coltrane's picture

Hi,

As part of an effort to expand Drupal-specific static code analysis tests for vulnerabilities underway in Coder 7.x-2.x (http://drupal.org/node/1844870) I am curious of common errors made by developers that open up exploits. What problems are easy to make (and discover) that we can 1) write automated checks for and 2) get those corrected for newer major versions of Drupal core.

For example, in Drupal 6 drupal_set_title() set the contents of the h1 tag without sanitizing the argument, and developers commonly passed it the raw node title, opening up an XSS exploit. Drupal 7 sanitizes the input for drupal_set_title() by default.

What common mistakes have you seen in Drupal 6 and 7?

Comments

a few

coltrane's picture

Drupal 6

  • drupal_set_title

Drupal 6 and Drupal 7

  • not using t() correctly (common root of lots of XSS)
  • drupal_set_message
  • printing $_GET in the theme
  • printing arg() in the theme
  • printing unsafe properties of node object

+1 for "printing unsafe

daniel.nitsche's picture

+1 for "printing unsafe properties of node object" it's very easy to shoot yourself in the foot with something like this:

function mytheme_preprocess_node($vars) {
  $field = field_get_items('node', $vars['node'], 'field_xss');
  $unfiltered_output = $field[0]['value'];
  print $unfiltered_output;
}

I wish the fields were called "unsafe value" and "value", rather than "value" and "safe_value" :)

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: