[development] security: people can no longer "administer" blocks.

Bèr Kessels ber at webschuur.com
Thu Jan 5 21:40:01 UTC 2006


I can no longer allow anyone on my network (nor would I advice anyone to do 
so) to "administer" blocks. 
The result is "no sorry Mr Client, you cannot change that link in that block, 
only I can".

The reason is simple: PHP input. 
It is too late, sorry for that, but I only realize this now[1]. allowing users 
to paste PHP is a security issue, a severe one. 

I see a few solutions. And I think we should consider adding them to drupal 
before 4.7. A patch is not too hard, the consensus is. I think. 

* Add a new permission: moderate blocks (people can only change the content of 
the blocks)
* Remove the "show it here and there" alltoghether and leave it to the themes 
(my favorite) to choose where, when and how to display blocks.
* Limit the allowed PHP. this, i fear is a very, very hard one. One that will 
render php mode unusable too.
* Only show (and save!!) the phpmode option for uid 1. I dislike this, because 
I prefer to do nothing with uid1.

I for one, will certainly not -ever- allow my users to add php, (wich allows 
them to hack the complete server, with some creativity)

[1] http://www.webschuur.com/node/409

More information about the development mailing list