This was reported to the security team privately and determined it could be public. This issue is a public duplicate of that private issue, but can be used for the ongoing work.

A security scan of Drupal gives following error in drupal core file \docroot\.ht.router.php.

Affected Components
\docroot\.ht.router.php
Details
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

CommentFileSizeAuthor
#6 interdiff_4_6.txt509 bytesanmolgoyal74
#6 s171603-6.patch1.1 KBanmolgoyal74
#4 s171603-15_0.patch511 bytesgreggles

Comments

rangasamytk created an issue. See original summary.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Status: Active » Postponed (maintainer needs more info)
Issue tags: +Bug Smash Initiative

Please provide steps to exploit, this is likely a false positive produced by an automated scanner

cilefen’s picture

cilefen commented

@rangasamytk Did you see the message reading "Security issues should not be reported here." when you created this issue?

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Title: File Inclusion issue » File Inclusion issue security hardening
Issue summary: View changes
Status: Postponed (maintainer needs more info) » Needs review
StatusFileSize
new s171603-15_0.patch511 bytes

Attaching a patch by mcdruid from a private security team issue.

He should get credit for the patch.

Status: Needs review » Needs work

The last submitted patch, 4: s171603-15_0.patch, failed testing. View results

anmolgoyal74’s picture

anmolgoyal74 commented
Status: Needs work » Needs review
StatusFileSize
new s171603-6.patch1.1 KB
new interdiff_4_6.txt509 bytes

cilefen credited mcdruid.

cilefen’s picture

cilefen commented
rangasamytk’s picture

rangasamytk commented

@cilefen, mail also sent already and during post creation isn't shown information.

cilefen’s picture

cilefen commented

@rangasamytk The warning about security issues is the first text after the "Create Issue" title.

chi’s picture

chi commented

Aren't ".ht" files protected in Apache by default?

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Issue summary: View changes
smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community

Thank you @greggles

I see all tests pass for 9.5.x and 10.1.x and seems like a good change.

alexpott credited brayfe.

alexpott credited pwolanin.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented

Crediting people who created, reviewed and commented on the security issue.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Fixed

Committed and pushed 86bced910a to 10.1.x and 58819d7a5e to 10.0.x and 88cf76a010 to 9.5.x. Thanks!

There's in existing test coverage that the php cli server works as expected in the build tests.

  • alexpott committed 86bced91 on 10.1.x 
    Issue #3191389 by anmolgoyal74, greggles, larowlan, mcdruid, pwolanin,...

  • alexpott committed 58819d7a on 10.0.x 
    Issue #3191389 by anmolgoyal74, greggles, larowlan, mcdruid, pwolanin,...

  • alexpott committed 88cf76a0 on 9.5.x 
    Issue #3191389 by anmolgoyal74, greggles, larowlan, mcdruid, pwolanin,...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.