Skip to content
Snippets Groups Projects

Issue #3478716: [D7] Full path disclosure from errors on maintenance pages

Open Issue #3478716: [D7] Full path disclosure from errors on maintenance pages
issue/drupal-3478716:3478716-d7-full-path into 7.x
Open Ra Mänd requested to merge issue/drupal-3478716:3478716-d7-full-path into 7.x

Issue #3478716: [D7] Full path disclosure from errors on maintenance pages

Closes #3478716

Edited by Ra Mänd

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Ra Mänd changed the description

    changed the description

  • Ra Mänd changed target branch from 11.x to 7.x

    changed target branch from 11.x to 7.x

  • Ra Mänd changed title from git commit -m 'Issue #3478716: [D7] Full path disclosure from errors on maintenance pages' to Issue #3478716: [D7] Full path disclosure from errors on maintenance pages

    changed title from git commit -m 'Issue #3478716: [D7] Full path disclosure from errors on maintenance pages' to Issue #3478716: [D7] Full path disclosure from errors on maintenance pages

  • Ra Mänd
    Ra Mänd @ram4nd
    Author

    The issue here is that during Drupal boostrap phases, configuration runs before variables are loaded. The error is always shown, because default was show all errors. The current change just edits the default value to none as default. It solves the security issue, but it doesn't fix the underlying problem. Where you never get the correct value from variable_get, when the function gets triggered before variables are loaded.

Please register or sign in to reply