Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2934520 by tstoeckler: Avoid information disclosure by timing attack in EntityResource::patch()

8.5.x
Lee Rowlands 2018-01-05 17:11:04 +10:00
parent be569c75d7
commit 2971ea9d10
No known key found for this signature in database
GPG Key ID: 2B829A3DF9204DC4
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/modules/rest/src/Plugin/rest/resource/EntityResource.php
View File

@ -288,7 +288,7 @@ class EntityResource extends ResourceBase implements DependentPluginInterface {
// the user has no legitimate way of knowing the current value of fields
// that they are not allowed to view, and we must not make the presence or
// absence of a 403 response a way to find that out.
if ($original_field->equals($received_field) && $original_field->access('view')) {
if ($original_field->access('view') && $original_field->equals($received_field)) {
return FALSE;
}