LWN: Comments on "A serious Drupal security issue"

A serious Drupal security issue

flewellyn — Thu, 29 Mar 2018 08:35:18 +0000

At my last job, I spent 12 years as a PHP programmer. I developed large, complex applications in PHP. I learned how to use the language, how to avoid its pitfalls, and how to write flexible and secure code that performed well and was capable of doing the job required, using PHP. I have quite an intimate knowledge of PHP the language, PHP the environment, and PHP the ecosystem. I am very familiar with the PHP way of doing things.

It is for this reason that at my new job, at a company I helped found, neither I nor any programmers who work with me will be using PHP. It is my considered opinion, as an experienced PHP developer, that it is a mistake to use PHP for anything.

A serious Drupal security issue

smurf — Thu, 29 Mar 2018 08:08:23 +0000

It doesn't, probably as to not give the script kiddies even more ammunition, but it's obvious from the mitigation patch.

I have no idea whether that is intended to be the actual fix, or a stopgap measure for people who can't upgrade. Frankly I'm not at all interested in finding out – as the mere existence of a goofy bug like this, for at least a decade, demonstrates that Drupal is not fixable without spending several man-months' worth of going through the core code with a fine-toothed comb – and I take no bets against that effort ending up requiring so many changes that you'd end up with Drupal 9.

To be fair, it *is* possible to write large projects in PHP without introducing equally large security goof-ups, as Wikipedia and Facebook apparently demonstrate. It's just somewhat more difficult than in many other languages even if you're a disciplined programmer (and much more so if you're not). The reasons are widely known and need not be repeated here.

A serious Drupal security issue

flewellyn — Thu, 29 Mar 2018 07:09:17 +0000

Ahh, so it's an analysis of the code, not an actual quote.

I mean, still...what the hell? That is such terrible, broken design.

A serious Drupal security issue

nai9Ahz0 — Thu, 29 Mar 2018 06:06:14 +0000

It's at the end of the patches from https://www.drupal.org/sa-core-2018-002 : https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&i...

A serious Drupal security issue

flewellyn — Thu, 29 Mar 2018 05:22:27 +0000

I can't find where it says that in the blog post you linked.

A serious Drupal security issue

smurf — Thu, 29 Mar 2018 00:54:03 +0000

https://blog.cloudflare.com/drupal-waf-rule-to-mitigate-c... states (misleadingly, as the bug affects the field names, not their content):
"This patch is to disallow forms and form fields from starting with the “#” character which results in remote code execution."

WAT.

This is the entirely wrong solution. The real fix would be to find the Drupal code that treats form and field names as anything other than opaque blobs, and eradicate it. With a large hammer.

Snarky aside: This kind of bug is about what I expect from, well, anything written in PHP. No bets as to whether the Drupal people implement said real fix any time soon …