Heine

  • home
  • drupal
  • drupal core commits
  • about
Home › Drupal

Access denied - Are you sure?

Heine — Fri, 21/03/2008 - 05:23

It is surely not my intend to discuss each and every security announcement, but the recent Live announcement (SA-2008-021) deserves to get some attention as this particular drupal_access_denied & drupal_not_found pitfall affects you too, especially when you are converting "arrow code" to use guard clauses.

// Arrow code.
// This drupal_access_denied / drupal_not_found pattern is common in Drupal modules.
function page_callback() {
  if (condition) {
    if (another_condition) {
      if (yet_another_condition) {
        return do_something();
      }
    }
  }
  drupal_access_denied();
}

// Guard clauses with a security vulnerability ahead.
function page_callback() {
  if (!condition) {
    drupal_access_denied();
  }
  if (!another_condition) {
    drupal_access_denied();
  }
  if (!yet_another_condition) {
    drupal_access_denied();
  }

  return do_something();
}

The pitfall: drupal_access_denied emits the access denied page, but does not end the request. This means do_something() is still executed, with potential security vulnerabilities as a result. When you actually test an access denied scenario and do_something returns a string, you'll notice you get a double page rendered; one part contains the access denied page, the other the output of do_something.

The remedy is easy, use return drupal_access_denied(); instead of drupal_access_denied();

// Guard clauses (these can often be collapsed into one if()).
function page_callback() {
  if (!condition) {
    return drupal_access_denied();
  }
  if (!another_condition) {
    return drupal_access_denied();
  }
  if (!yet_another_condition) {
    return drupal_access_denied();
  }

  return do_something();
}

Average: 4.9 (11 votes)
  • Drupal
  • Pitfalls
  • Planet Drupal
  • Security

Hi, I just did a search in a

peach - all drupal themes (not verified) — Fri, 21/03/2008 - 10:26

Hi, I just did a search in a folder with a bunch of drupal modules;

*.module; "return drupal_access_denied" : found 4 files

* .module; " drupal_access_denied" (note 2 spaces before function) : found 21 files

Does that mean all the modules in the second group are insecure? or possibly insecure?

  • reply

maybe

greggles (not verified) — Fri, 21/03/2008 - 14:09

It depends what comes on the following lines.

if it just does

if (something) {
  drupal_access_denied();
  something_else_important();
  return;
}
other_stuff();

Then the other_stuff is protected by the return on the following line.

  • reply

I want to know how Heine has

xamox (not verified) — Sun, 23/03/2008 - 03:06

I want to know how Heine has become such a security ninja. He seems to be the master at finding these security bugs. Props to you man.

  • reply

excellent

Pedro Pablo (not verified) — Thu, 17/07/2008 - 00:00

it is so comfortable to know people like you are watching out to protect us from the bad guys... :-)
Very good discovery as it will enhance many modules' security

  • reply

In a lot of cases you won't

Xano — Sat, 20/09/2008 - 00:27

In a lot of cases you won't be able to end the request by returning drupal_access_denied() or drupal_not_found(), because the function these calls are made in are no direct menu callback. The solution is to simply exit; right after calling one of the aforementioned functions.

  • reply

Post new comment

I reserve the right to edit any comment submitted to the site. If your comment contains flaming, advertisements, or simply too many spelling errors (leet speak), it may never appear.
The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>
  • Lines and paragraphs break automatically.
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <as>, <as3>, <csharp>, <diff>, <drupal5>, <drupal6>, <html>, <js>, <mysql>, <php>, <phpbrief>, <python>, <sql>, <plain>, <xml>. Beside the tag style "<foo>" it is also possible to use "[foo]". PHP source code can also be enclosed in <?php ... ?> or <% ... %>.

More information about formatting options

Recent posts

  • The Joomlafication of the Dutch-speaking community
  • Upgraded from 6.14 to 6.15, but Drupal still thinks it's 6.14?
  • Google Friendconnect Drupal module not recommended (yet)
  • The OpenID 2.0 Compliance Crusade - Part I
  • Using <embed> for XSS
more

Security reviews

  • Afraid custom code makes your site vulnerable?
  • You don't really trust that module you just downloaded from Drupal.org?

Sleep better after a security review.

Tags

Captcha CSRF DOH! Drupal embed Input Format modx OpenID Performance Planet Drupal Security Varnish
more tags
  • home
  • drupal
  • drupal core commits
  • about

Copyright © 2010 by Heine Deelstra. All rights reserved.