In our most recent set of security releases, we made some changes in Sugar that address input sanitization issues reported by a 3rd party security researcher. Conveniently, these issues can be addressed with the input validation and CSRF form authentication frameworks added in Sugar 126.96.36.199 and 188.8.131.52. Both of these frameworks offer “soft” failure modes that will log warnings into the sugarcrm.log instead of fatal exceptions.
Input Sanitization Soft Failures
CSRF form authentication is strictly enforced by default. But, up until now, the default for the input validation framework has been to use soft failure mode. Choosing to make soft failure mode the default was a pragmatic decision to maximize compatibility for Sugar customizations while developers updated customizations and integrations. However, these recent reported vulnerabilities make it clear that it is time to take the next step to more strictly enforce input sanitization.
SugarCRM plans to strictly enforce input validation in upcoming releases. We will also remove the soft failure mode options at that time which will break customizations or integrations that have not adopted CSRF form authentication or pass that do not pass input validation.
Strict enforcement of Input Validation and CSRF Form Authentication
You should enable strict enforcement of the Input Validation and CSRF Form Authentication checks now for two reasons: (1) to ensure that your Sugar customizations and integrations work properly after upgrading to our winter releases and (2) to create the most secure environment for your current users. The configuration settings in question are the Input Validation ‘validation.soft_fail’ flag as well as the CSRF ‘csrf.soft_fail_form‘ flag.
Sugar Cloud has disabled soft failure modes by default but for Sugar On-Site you can adjust these settings for yourself. Add the following lines to your config_override.php file.
$sugar_config['validation']['soft_fail'] = false;
$sugar_config['csrf']['soft_fail_form'] = false;
Strictly enforced checks
In response to security issues, there are now strictly enforced input validation checks that ignore the validation.soft_fail configuration setting. In particular, we added strict validation to the platform authentication parameter used in our REST API. This can have an impact on platform identifiers using characters that are not part of the POSIX portable filename character set.
Also recall the disable_unknown_platforms configuration setting affects the use of platforms. Custom platforms should be registered using the Platforms extension. This check is planned to be enforced in Sugar On-Demand in the future as well.
What you need to do to prepare customizations
In development instances,
Set validation.soft_fail setting to false.
Set disable_unknown_platforms setting to true.
Then run regression tests on your integrations and customizations to very they still work.
In production instances,
Enable warn log level to collect and analyze any input validation or platform name violation warnings.
Slides from the UnCon 2016 session on Sugar’s input validation framework are also available in the Sugar Community.
More information about best practices for using the Platform parameter can also be found on a previous post on this blog.