This was previously reported to the Drupal Security Team and has been deemed appropriate for a public issue.

Problem/Motivation

In some site configurations the /media/oembed endpoint, if passed a bad hash value, returns a cacheable response. In these circumstances all media OEmbeds will be broken.

Proposed resolution

Return an uncacheable response to bad input.

Release notes snippet

@todo

Background information

CommentFileSizeAuthor
#9 3366481-9.patch3.67 KBcilefen
#9 3366481-9-test.patch1.65 KBcilefen
#7 3366481-7.patch2.79 KBcilefen
#7 3366481-7-test.patch792 bytescilefen
s175983-12.patch2.37 KBcilefen

Comments

cilefen created an issue. See original summary.

cilefen’s picture

cilefen commented
Status: Active » Needs review

Committers: please also credit seanB, acbramley, and phenaproxima.

I am testing my original patch.

catch credited acbramley.

catch credited phenaproxima.

catch credited seanB.

catch’s picture

catch
he/him
Primary language English
commented
cilefen’s picture

cilefen commented
StatusFileSize
new 3366481-7-test.patch792 bytes
new 3366481-7.patch2.79 KB

A reroll.

Status: Needs review » Needs work

The last submitted patch, 7: 3366481-7.patch, failed testing. View results

cilefen’s picture

cilefen commented
Status: Needs work » Needs review
StatusFileSize
new 3366481-9-test.patch1.65 KB
new 3366481-9.patch3.67 KB

The last submitted patch, 9: 3366481-9-test.patch, failed testing. View results

cilefen’s picture

cilefen commented
Title: OEmbedIframeController returns an HTTP response code that can be cached by forward proxies » OEmbedIframeController returns an HTTP response code that can be cached by forward proxies when it is given illegal parameters
smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community
Issue tags: +Needs Review Queue Initiative

Reviewing change and seems to throw Bad Request vs Access Denied now.

  • catch committed 5ff0d72f on 10.0.x 
    Issue #3366481 by cilefen, acbramley, phenaproxima, seanB:...

  • catch committed 942722de on 10.1.x 
    Issue #3366481 by cilefen, acbramley, phenaproxima, seanB:...

  • catch committed ca17d0ac on 11.x 
    Issue #3366481 by cilefen, acbramley, phenaproxima, seanB:...
catch’s picture

catch
he/him
Primary language English
commented
Version: 11.x-dev » 9.5.x-dev
Status: Reviewed & tested by the community » Fixed
Issue tags: +Security, +Security improvements

Committed/pushed to 11.x and cherry-picked back through to 9.5.x, thanks!

  • catch committed 9e2203d3 on 9.5.x 
    Issue #3366481 by cilefen, acbramley, phenaproxima, seanB:...
wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Issue tags: +http, +cache

Wow, nice catch!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.