Posted by greggles on March 9, 2015 at 10:40pm
I'm working on a new release of paranoia. In addition to blocking more permissions I'd like to include a feature that blocks all the import boxes that run php from the user interface (e.g. the "Import Views" box).
The issue to do that needs review and is at https://www.drupal.org/node/2313945
Once that hook is in we would need to add in a bunch more form IDs to block.
Comments
Neat! In addition to blocking
Neat! In addition to blocking certain forms, is there any value in blocking particular forms from being altered? My initial sense is no, but I'd have to think through it in more detail. An obvious use case is credit card forms, but it could be equally useful in plugging holes in say a password reset form modified to email out a second password reset link.
Again, probably off topic and I'd be happy to chime in on the primary issue that needs review.
Might be interesting to also
Might be interesting to also include some suggestions or documentation around http://php.net/manual/en/ini.core.php#ini.disable-functions
Though that has to be in the actual .ini file.
It's tricky to draw the line,
It's tricky to draw the line, but I think that's more appropriate for https://www.drupal.org/project/security_review which is about analyzing and reporting. Paranoia is more about actively blocking.
knaddison blog | Morris Animal Foundation
So, I committed that patch
So, I committed that patch and a handful of other features. Executing php via the views import screen is now blocked at the url level and the form level.
I'd love some verification that the current dev branch generally works. I plan to tag a new release in the next week or so.
knaddison blog | Morris Animal Foundation
OH, and PS - I've written a
OH, and PS - I've written a new patch that will remove other active sessions if a user changes their password. https://www.drupal.org/node/2294061
This is something that's been suggested to me from a few different angles. The basic goal is that if someone's account has been compromised, then using the password reset link and resetting your password will completely lock out a malicious user.
It seems like a worthwhile feature to have in the Paranoia module.
knaddison blog | Morris Animal Foundation
I've written a new patch that
This should be in core. Add a checkbox to the form(s) to do it. I think I may make the feature request for 8.1.x to do it, and come up with a patch.
Alrighty - now published at
Alrighty - now published at https://www.drupal.org/node/2498469
I've committed 2 new features so they'll get some good testing from anyone who uses the dev release.
knaddison blog | Morris Animal Foundation