Problem/Motivation
We've added protection to core for https://www.drupal.org/sa-core-2018-002 and https://www.drupal.org/sa-core-2018-004 but we omitted test coverage to not give hackers any hints of how to exploit the vulnerability. However both have now been publicly exploited therefore we should add the tests so that we don't break this important functionality.
Proposed resolution
Add tests
Remaining tasks
User interface changes
None
API changes
None
Data model changes
None
Comment | File | Size | Author |
---|---|---|---|
#9 | 2969053-9.patch | 10.27 KB | alexpott |
#9 | 7-9-interdiff.txt | 1.65 KB | alexpott |
#7 | 2969053-7.patch | 10.27 KB | alexpott |
#7 | 4-7-interdiff.txt | 1.18 KB | alexpott |
#4 | 2969053-4.patch | 10.27 KB | alexpott |
Comments
Comment #2
alexpottHere's a start from the work on tests in the security issue. I think the tests can be improved to be easier to maintain.
Comment #3
alexpottHere's a rework so that you don't have to set a requests query, cookie, and request parameters all the same.
Bit of a complete re-work so no interdiff.
Comment #4
alexpottSlight tweak so that all the Request object is tested together and all of the globals are tested together.
Comment #5
alexpottI've used PHPUnit and Xdebug to confirm that the current test exercises 100% of the code. So at least we know every line is exercised. It would be good to confirm that all the logic is tested. Note that external destinations are not a concern because they are removed by \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination(). I think though at some point we should file a follow to merge that functionality into the RequestSanitizer and also fix it. The conversion to Symfony's request introduced 2 bugs in it. Opened an issue for this #2969207: RedirectResponseSubscriber::sanitizeDestination() was upgraded from Drupal 7 incorrectly
Comment #6
benjy CreditAttribution: benjy at Unearthed commentedTests look good to me, tiny phpcs issue.
Normally array keys and function args are single quotes.
Comment #7
alexpottThanks for the review @benjy. Patch attached addresses that and also a couple of other code style things.
Comment #8
samuel.mortensonNits:
Missing comment in docblock.
I think
$request->overrideGlobals()
will do this as well.Other than that this looks like good coverage.
Comment #9
alexpottThanks for the review @samuel.mortenson
1. Fixed
2.
$request->overrideGlobals()
does more - it also sorts the query string. Personally I think we should do this on every request to normalise stuff for caches but that's not what we do now. One thing investigating this idea did bring up is that the test assumes the php ini varrequest_order
is CGP but actually by default in php.ini its GP for security reasons so I've changed the test to reflect that.Comment #10
samuel.mortensonInterdiff and a re-review looks good to me.
Comment #12
alexpottHEAD failing.
Comment #24
alexpottAdding contributors to the original issues because they all reviewed the test coverage too.
Comment #28
alexpottSome more people.
Comment #30
tim.plunkettComment #33
catchCommitted/pushed to 8.7.x and cherry-picked to 8.6.x. Thanks!