[development] security: people can no longer "administer" blocks.
ber at webschuur.com
Thu Jan 5 21:40:01 UTC 2006
I can no longer allow anyone on my network (nor would I advice anyone to do
so) to "administer" blocks.
The result is "no sorry Mr Client, you cannot change that link in that block,
only I can".
The reason is simple: PHP input.
It is too late, sorry for that, but I only realize this now. allowing users
to paste PHP is a security issue, a severe one.
I see a few solutions. And I think we should consider adding them to drupal
before 4.7. A patch is not too hard, the consensus is. I think.
* Add a new permission: moderate blocks (people can only change the content of
* Remove the "show it here and there" alltoghether and leave it to the themes
(my favorite) to choose where, when and how to display blocks.
* Limit the allowed PHP. this, i fear is a very, very hard one. One that will
render php mode unusable too.
* Only show (and save!!) the phpmode option for uid 1. I dislike this, because
I prefer to do nothing with uid1.
I for one, will certainly not -ever- allow my users to add php, (wich allows
them to hack the complete server, with some creativity)
More information about the development