Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
- When SA-CORE-2019-003 was released, it included a new trait.
- Per #20, when Patchman backports security fixes, its policy is to not add new files, so instead it backported the fix into NormalizerBase.php.
- NormalizerBase.php was not modified in that SA or since then. As a result, when site owners using hosting companies (such as A2 Hosting) that use Patchman update to newer releases of Drupal, the site owner receives an email that they installed an insecure version of NormalizerBase.php and that Patchman backported a security fix to it.
- This is a harmless false positive, but it's confusing to site owners.
Proposed resolution
Modify NormalizerBase.php, so that Patchman stops detecting it as a false positive vulnerability, and site owners stop receiving these emails when updating to newer Drupal releases. There's a long docs sentence in the file anyway, which can be improved by splitting into two sentences, so the patch in this issue does that.
Comment | File | Size | Author |
---|---|---|---|
#26 | 3054510-change-file-to-avoid-errant-patching.patch | 914 bytes | Spokje |
#12 | 3054510-change-file-to-avoid-errant-patching.patch | 914 bytes | greggles |
Comments
Comment #2
Wim LeersAre you still using Drupal 8.6.9 or 8.5.10, or older versions?
What your hosting company did is patch your site for https://www.drupal.org/sa-core-2019-003, which they should only do if you're not yet on Drupal 8.6.10/8.5.11 or newer. They modified the official security patch and applied it to your site.
If you already are on a secure Drupal 8 release (by now other security releases have shipped, so 8.6.10/8.5.11 are no longer recommended), then your hosting company shouldn't have patched your site.
Looking forward to hear back from you!
Comment #3
fchandler CreditAttribution: fchandler as a volunteer commentedI am on Drupal 8.7.2. i copied your comment to the hosting company. This is there reply:
Comment #4
Wim LeersIf you're on Drupal 8.7.2, you're definitely already secure, and this is a problem caused by your hosting provider's use of this "Patchman" third party service!
Comment #6
bas123 CreditAttribution: bas123 as a volunteer and commentedI would like to be clear on this!
I too am hosted at A2 Hosting and am constantly receiving emails generated by the Patchman Program that have installed and running on my shared hosting account in my CPanel.
The program consistently sends me warnings about a vulnerability with the same files:
Input Validation vulnerability in Drupal
/home/MYACCOUNT/public_html/core/modules/serialization/src/Normalizer/NormalizerBase.php
Note: I also have two development versions in the same account and those paths are duplicated in the report!
I maintain my updates as soon as they appear (within a day or two) and updated to Drupal Version 8.7.4 just the other day, and yet received an email this morning stating the above vulnerability!
I believe the Patchman program may allow me to exempt this file, but I have concerns about whether the file indeed is in need of attention from its developer(s) or if it merely is being falsely flagged by Patchman!
Any advise?
Comment #7
bas123 CreditAttribution: bas123 as a volunteer and commentedComment #8
penone CreditAttribution: penone commentedOne more for A2 Hosting and the email message regarding this "patch".
Am on Drupal Version 8.7.6 and all is upto date.
Where is patchman getting the patch from and why is this not being patched when updating core?
Comment #9
chris@owen32.org CreditAttribution: chris@owen32.org commentedFresh installs of Drupla 8 also at A2 hosting :: getting the same kind of Patchman messages:
It appears patches are available for application(s) installed in the following path(s):
Input Validation vulnerability in Drupal
/home/xxx/xxx/core/modules/serialization/src/Normalizer/NormalizerBase.php
Clearly D8 new installs are all up to date.
I don't understand that this issue is listed as Closed (fixed).
oh, A2 points to their patch scan process:
Click here to learn more about our perpetual security scans: https://www.a2hosting.com/kb/cpanel/advanced-features/patchman
Comment #10
effulgentsia CreditAttribution: effulgentsia at Acquia commentedAnyone know the process for engaging with Patchman to fix this on their end?
Comment #11
effulgentsia CreditAttribution: effulgentsia at Acquia commentedJust a wild guess here, but I wonder if what's happening is due to a combination of:
In other words, Patchman thinks that file was vulnerable prior to SA-CORE-2019-003 (which it wasn't), and that's the file that people still have, even with newer Drupal versions.
So maybe we can make patchman happy by simply committing some minor change to NormalizerBase.php so as to give it a newer timestamp and contents than what its state was prior to SA-CORE-2019-003?
Comment #12
gregglesVery interesting theory!
This patch applies to 9.0, 8.9, 8.8, 8.7. Could someone on A2 hosting try uploading a fresh copy of NormalizerBase.php that has had this patch applied and see if Patchman still modifies it?
It was honestly hard to find something worth changing. I felt like this code comment was a bit of a run-on sentence which made it a good choice to split.
Leaving as "Needs work" for now as I don't want the testbot to waste its time on this until we know it will address the patchman issue.
Comment #13
bas123 CreditAttribution: bas123 as a volunteer and commented@greggles
This came today, attached is the file as a txt:
Comment #14
mr.baileysI use Patchman, and this issue annoys the hell out of me, but I don't think there is anything we can do on the Drupal side, since it is caused by the inability for Patchman to add new files to a system.
This is the official explanation:
Comment #15
greggles@mr.baileys that's great research! Perhaps you could try out #12 and see if that stops the unnecessary patching?
Comment #16
bas123 CreditAttribution: bas123 as a volunteer and commentedWith respect to @mr.baileys quote, I can confirm that this issue predates Drupal 8.6.10 by no less than 6 months!
I have been receiving emails from A2 Hosting's Patchman since sometime in 2018 every time I update Drupal core!
So just for some redundancy, here's what I got today!
Which of course will be followed up in a few days with a report that they have saved the day and patched the file!
Comment #17
bas123 CreditAttribution: bas123 as a volunteer and commentedIT GETS WORSE
Got this one today!
Comment #18
gregglesI put a patch in #12 that might help fix this problem.
Please test it.
Comment #19
daveonaka CreditAttribution: daveonaka commentedI raised this issue to A2 Hosting again as of Jun 20, 2020. There is now an open ticket for all hosted Drupal 8 sites. They also sent the following:
——-
Greetings!
Thank you for your report.
Patchman patches can be disabled in the cPanel interface. I've provided an article below on how to do this. We've also reported this bug to our Operations team for further investigation to see if they can get the issue with the false-positive emails resolved. We do see a couple of other reports complaining about Patchman catching the "NormalizerBase.php" file with Drupal 8 specifically. We will monitor their investigation and provide you with updates as they become available.
How to access and manage Patchman
https://www.a2hosting.com/kb/cpanel/advanced-features/patchman#Managing-...
Please do not hesitate to ask if you have any other questions or concerns.
Best Regards,
Comment #20
patchman-jelmerverkleij CreditAttribution: patchman-jelmerverkleij commentedHello,
My name is Jelmer Verkleij, and I am the Chief Technology Officer at Patchman. As I understand this may be somewhat confusing, I would like to add additional clarification, in addition to the comments that have in fact already been quoted here from support cases we handled in the past.
Specifically, the messages from effulgentsia and mr.baileys already explain the core element of this. I hope I can shed some additional light on the background.
One of Patchman's key features is that we backport official security fixes to older versions of the same software, so that websites can be secured without requiring an immediate full update. We strongly believe that an update is always the best path forward for ongoing security, but this approach gives website owners some time (and breathing room) to prepare for such an update, as we all know that depending on configuration, themes, plugins etc, that may not be trivial to complete successfully.
When we backport a security fix for older (Drupal) versions, we can only patch existing files, not create entirely new ones. That is to say, we explicitly do not want to add that functionality to our product. We have a responsibility to create a secure product with minimal risk to all the websites we are hired to protect, and every additional feature we add to our own product risks creating more bugs and/or attack surface for malicious actors. That care is not done instead of, but in addition to rigorous testing we do of our product anyway. Our product is designed specifically to only be able to modify files which are marked by our own signature set as being vulnerable - that means we've intentionally limited our software to not be able to modify random files on your websites, let alone create or delete them. All this to say that this is a self-imposed restriction.
In the vast majority of cases, this doesn't actually matter. Many vulnerabilities don't actually require new files to be added - new code to pre-existing files is far more common. However, there are exceptions, and this specific advisory is one of them. And that means we are forced to use a workaround.
That workaround is essentially to ship code in another file than the new file - in this case, NormalizerBase.php. Again, this by itself is usually not an issue, if the file we pick happens to be changed in a future version, because then it is different from the state of that file we associate with vulnerable applications.
Unfortunately, this is a very specific case where that doesn't hold - the file went unchanged long after the vulnerability got fixed in the official Drupal versions. That results in Patchman incorrectly flagging new versions as vulnerable. I am very aware that this is confusing, annoying and maybe even alarming - we are telling you that something is vulnerable when in fact it really isn't. However, we have put a lot of care into our patches to make sure that executing them even on these newer versions doesn't actually break anything - it is a benign no-op, as it were - and the few cases where this leads to miscommunication are far outweighed by the hundreds of thousands of Drupal websites we managed to secure by shipping this patch to our customers.
Naturally, there is a key takeaway from this for us: using NormalizerBase.php was probably not the best choice, and whenever a new case like this pops up in future security releases, we will continue to try and find other files which may be more prone to upstream changes than this one (although of course we don't want to stick a change just anywhere randomly in the application, as that has other clear downsides).
None of this is going to change the emails that were sent out, nor are we going to change the way we flag this specific vulnerability going forward. However, there are two additional notes I can offer as potential remediation:
I am interested to know if either of these flows applise to e.g. bas123 - if they don't, I definitely want to investigate how a regular upgrade would cause these messages to occur. As it is definitely not my intention to hijack this topic and turn it into a Patchman support conversation, feel free to send me an email personally at jelmer.verkleij@patchman.co with more information so I can look into this for you.
I hope I was able to shed some light on the background of this, and while it may not immediately alleviate the problems you are having, I hope you understand that our design decisions are always made with maximum website security for Drupal site owners in mind.
Best regards,
Jelmer Verkleij
Chief Technology Officer
Patchman B.V.
Comment #21
effulgentsia CreditAttribution: effulgentsia at Acquia commentedThank you for the confirmation and explanation, Jelmer!
I think that answers the question from #12, so I'm RTBCing that patch as something worth getting into 9.1. I think it's also harmless enough and worthwhile to cherry pick into 9.0 as well, but it needs to get into 9.1 first.
Comment #22
effulgentsia CreditAttribution: effulgentsia at Acquia commentedUpdated the issue summary for committers and people coming to this issue in the future.
Comment #23
bas123 CreditAttribution: bas123 as a volunteer and commentedNew vulnerabilities are being reported by Patchman as of the latest Drupal v 8.8.10 and Open Social v 8.x-9.2 updates
I do not know how or where these need reporting so perhaps this can be disseminated from here!
Comment #24
gregglesHIding 2 unnecessary files from the issue summary. This remains RTBC by effulgentsia from #21 after insight from the Patchman CTO in #20.
Comment #26
SpokjeRe-uploading
3054510-change-file-to-avoid-errant-patching.patch
so it's get tested ewvery 2 days against9.2.x-dev
.Comment #28
gregglesI don't think the fails are from the patch in #26.
The core automated testing page says there are some fails in core on its own.
Back to RTBC based on effulgentsia in #21.
Also adjusting credit a smidge.
Comment #30
greggleslongwave suggested in slack that these random fails are likely just less reliable tests.
Back to RTBC based on effulgentsia in #21.
Comment #31
alexpottCommitted and pushed 6366c55572 to 9.2.x and 373528eda0 to 9.1.x. Thanks!
Hopefully in the future patchman chooses a better file / way to work out if a site is vulnerable. I'm not a huge fan of this patch and hopefully committing this will not set a precedent for these types of fixes in the future - however given this solves users current issues going to commit and ask a release manager about backport to 8.9.x
Comment #34
gregglesThanks so much, @alexpott.
From the perspective of the Security Team members who deal with support requests related to this, it would be great to backport to 8.9.x. I'm going to tentatively move to needs review on that branch, but if a decision is made not to backport it can of course be moved back to fixed.
I also agree that I hope we won't have to make a habit of making commits like this.
Comment #35
Taran2LThis is indeed a very annoying thing. I'm setting the patch to retest on 8.9.x and if it's green (why not, right) I think this is RTBC
Comment #36
Taran2LComment #37
alexpottDiscussed with @catch we agreed to backport this to 8.9.x
Comment #39
gregglesThank you alexpott, catch and everyone who helped with this issue. I'm glad we were able to come up with a solution to prevent this confusing message from the patchman software.