Common code mistakes that open vulnerabilities

Posted by coltrane on November 19, 2012 at 5:36pm

Hi,

As part of an effort to expand Drupal-specific static code analysis tests for vulnerabilities underway in Coder 7.x-2.x (http://drupal.org/node/1844870) I am curious of common errors made by developers that open up exploits. What problems are easy to make (and discover) that we can 1) write automated checks for and 2) get those corrected for newer major versions of Drupal core.

For example, in Drupal 6 drupal_set_title() set the contents of the h1 tag without sanitizing the argument, and developers commonly passed it the raw node title, opening up an XSS exploit. Drupal 7 sanitizes the input for drupal_set_title() by default.

What common mistakes have you seen in Drupal 6 and 7?

Comments

a few

Posted by coltrane on November 27, 2012 at 6:45pm

Drupal 6

drupal_set_title

Drupal 6 and Drupal 7

not using t() correctly (common root of lots of XSS)
drupal_set_message
printing $_GET in the theme
printing arg() in the theme
printing unsafe properties of node object

Security

You must register or login in order to post into this group.

Group organizers

Group events

Long Term Support (LTS) BoF at DrupalCon Portland

Start: 2013-05-22 12:00 - 14:00 America/Los_Angeles
Drupal long-term advanced training program - stage 1

Start: 2013-09-06 (All day) - 2013-09-07 (All day) Europe/Kiev

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

All posts:
- Feed
- Page

Hot content this week

Drupal Fit plans for DrupalCon Portland 2013?

16 weeks 5 days ago
Global Training Day in Saint Petersburg [14.06.2013]

19 hours 11 min ago
Redirecting IE9 compatibly with nginx when behind a load balancer

6 days 7 min ago
Portland 2013 Roll Call

6 days 7 hours ago
Tallahassee needs meetups!

11 weeks 6 days ago