Next release of paranoia

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
greggles's picture
Posted by greggles on March 9, 2015 at 10:40pm

I'm working on a new release of paranoia. In addition to blocking more permissions I'd like to include a feature that blocks all the import boxes that run php from the user interface (e.g. the "Import Views" box).

The issue to do that needs review and is at https://www.drupal.org/node/2313945

Once that hook is in we would need to add in a bunch more form IDs to block.

Comments

Neat! In addition to blocking

Posted by rickmanelius on March 9, 2015 at 10:52pm
rickmanelius's picture

Neat! In addition to blocking certain forms, is there any value in blocking particular forms from being altered? My initial sense is no, but I'd have to think through it in more detail. An obvious use case is credit card forms, but it could be equally useful in plugging holes in say a password reset form modified to email out a second password reset link.

Again, probably off topic and I'd be happy to chime in on the primary issue that needs review.

Might be interesting to also

Posted by pwolanin on March 9, 2015 at 10:55pm
pwolanin's picture

Might be interesting to also include some suggestions or documentation around http://php.net/manual/en/ini.core.php#ini.disable-functions

Though that has to be in the actual .ini file.

It's tricky to draw the line,

Posted by greggles on March 10, 2015 at 2:55am
greggles's picture

It's tricky to draw the line, but I think that's more appropriate for https://www.drupal.org/project/security_review which is about analyzing and reporting. Paranoia is more about actively blocking.

knaddison blog | Morris Animal Foundation

So, I committed that patch

Posted by greggles on May 19, 2015 at 9:47pm
greggles's picture

So, I committed that patch and a handful of other features. Executing php via the views import screen is now blocked at the url level and the form level.

I'd love some verification that the current dev branch generally works. I plan to tag a new release in the next week or so.

knaddison blog | Morris Animal Foundation

OH, and PS - I've written a

Posted by greggles on May 19, 2015 at 9:49pm
greggles's picture

OH, and PS - I've written a new patch that will remove other active sessions if a user changes their password. https://www.drupal.org/node/2294061

This is something that's been suggested to me from a few different angles. The basic goal is that if someone's account has been compromised, then using the password reset link and resetting your password will completely lock out a malicious user.

It seems like a worthwhile feature to have in the Paranoia module.

knaddison blog | Morris Animal Foundation

I've written a new patch that

Posted by mpdonadio on May 19, 2015 at 11:18pm
mpdonadio's picture

I've written a new patch that will remove other active sessions if a user changes their password.

This should be in core. Add a checkbox to the form(s) to do it. I think I may make the feature request for 8.1.x to do it, and come up with a patch.

Alrighty - now published at

Posted by greggles on June 1, 2015 at 5:45pm
greggles's picture

Alrighty - now published at https://www.drupal.org/node/2498469

I've committed 2 new features so they'll get some good testing from anyone who uses the dev release.

knaddison blog | Morris Animal Foundation