Problem/Motivation

The help block previously checked menu_tab_root_path() to see if it was on a valid page or not, that was replaced with checking the system path directly.
However, the system path is still specified even if its a 403 or 404, and help blocks have been showing up ever since #2100073: Convert local_actions to the new local action plugins.

Proposed resolution

Fix the test coverage, and check for an exception.

Remaining tasks

N/A

User interface changes

N/A

API changes

N/A

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

tim.plunkett’s picture

Issue tags: +Quick fix
FileSize
888 bytes
1.61 KB

Here's the fix and a test.

xjm’s picture

Status: Active » Needs review

I kept reloading this trying to figure out why the bot wasn't picking it up.

The last submitted patch, 1: help-2245783-1-FAIL.patch, failed testing.

xjm’s picture

Status: Needs review » Reviewed & tested by the community

Looks good.

xjm’s picture

FileSize
12.35 KB
6.71 KB

To illustrate the bug, here's admin/index before and after the patch when logged out.

Before

After

xjm’s picture

Issue summary: View changes
tim.plunkett’s picture

Priority: Normal » Major

Discussed with @webchick, decided this was major. It's a) very disconcerting b) possibly dangerous to show help text for admin pages to anonymous and unprivileged users.

  • Commit a839132 on 8.x by webchick:
    Issue #2245783 by tim.plunkett: Regression: Help blocks display on 403/...
webchick’s picture

Status: Reviewed & tested by the community » Fixed

Given that this could potentially cause an information disclosure vulnerability, escalating to major. Nice find, nice fix, and nice tests. :)

Committed and pushed to 8.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.