Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

Project: Renderkit
Version: 7.x-1.x-dev
Date: 2020-July-01
Security risk: Less critical 9∕25 
Vulnerability: Access bypass

Description

The renderkit module contains components which can transform the display of field items sent to it.

Some of these components do not respect the '#access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see those field values.

This only occurs if all of the following conditions are true:

• Your site has a field where viewing access is restricted on field level, e.g. using the "Field permissions" module.
• The access-restricted field is displayed using the "Field with formatter" entity display from renderkit, in combination with one of the affected field display processor components.

Solution

If a site is affected there are 2 steps to fix this issue on a site:
Step 1: Install the latest version of renderkit:

If you use the renderkit module for Drupal 7.x, upgrade to Renderkit 7.x-1.14.

Step 2: Review your custom modules.

Look for classes that implement FieldDisplayProcessorInterface.
Consider to extend the FieldDisplayProcessorBase class instead of implementing the interface.

Also see the Renderkit project page.