[Security-news] Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026
security-news at drupal.org
security-news at drupal.org
Wed Jul 1 16:36:58 UTC 2020
View online: https://www.drupal.org/sa-contrib-2020-026
Project: Renderkit [1]
Version: 7.x-1.x-dev
Date: 2020-July-01
Security risk: *Less critical* 9∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Description:
The renderkit module contains components which can transform the display of
field items sent to it.
Some of these components do not respect the '#access' property on the field
render element, and thus can make rendered field values visible to visitors
who would otherwise not be allowed to see those field values.
This only occurs if all of the following conditions are true:
* Your site has a field where viewing access is restricted on field level,
e.g. using the "Field permissions" module.
* The access-restricted field is displayed using the "Field with formatter"
entity display from renderkit, in combination with one of the affected
field display processor components.
Solution:
If a site is affected there are 2 steps to fix this issue on a site:
.... Step 1: Install the latest version of renderkit:
* If you use the renderkit module for Drupal 7.x, upgrade to Renderkit
7.x-1.14 [3].
.... Step 2: Review your custom modules.
Look for classes that implement FieldDisplayProcessorInterface.
Consider to extend the FieldDisplayProcessorBase class instead of
implementing the interface.
Also see the Renderkit [4] project page.
Reported By:
* Andreas Hennings [5]
Fixed By:
* Andreas Hennings [6]
* mibfire [7]
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/renderkit
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/renderkit/releases/7.x-1.14
[4] https://www.drupal.org/project/renderkit
[5] https://www.drupal.org/user/459338
[6] https://www.drupal.org/user/459338
[7] https://www.drupal.org/user/155136
[8] https://www.drupal.org/user/36762
More information about the Security-news
mailing list