Problem/Motivation

The current doxygen is "Logger channel interface" when the interface is called "LoggerChannelInterface". That's not too helpful. Also, $context['link'] is printed as-is and that little fact is not documented. Anywhere. In the last decade.

Proposed resolution

Write some helpful notes on the two sides of logging: implementing a logger and using the logger. Add a security notice about link existing and being printed as-is.

Remaining tasks

Backport the security notice. This doesn't need to be handled privately because it is extremely likely that whoever used this (can't be a lot given how poorly it is documented and rarely used in core) used l() as core does. Also

On the other hand, an XSS issue related to other names (e.g. languages) that are unlikely to be entered/imported from an untrusted source can be handled in public.

from https://www.drupal.org/security-advisory-policy .

CommentFileSizeAuthor
#18 2535192_18.patch1.6 KBchx
#17 2535192_17.patch1.95 KBchx
#11 2535192_11.patch1.42 KBchx
#10 2535192_10.patch1.42 KBchx
#9 2535192_9.patch1.37 KBchx
#5 2535192_5.patch2.14 KBchx
#3 2535192_3.patch1.77 KBchx
#1 2535192_1.patch697 byteschx

Comments

chx’s picture

chx commented
Status: Active » Needs review
StatusFileSize
new 2535192_1.patch697 bytes
dawehner’s picture

dawehner
Primary language German
commented 
+++ b/core/lib/Drupal/Core/Logger/LoggerChannelInterface.php
@@ -13,6 +13,11 @@
+ * This interface is the central Drupal logger facility. It allows using
+ * several \Psr\Log\LoggerInterface loggers, the default implementation picks
+ * up services tagged with the logger tag. Also, request specific information
+ * is provided so the log entries can provide more context.
  */

If this is the central place for loggers I think we should document how to use loggers. a) Inject one of the loggers from the core.services.yml file and b) not typehint against LoggerChannelInterface but rather LoggerInterface. Especially the later one seems not obvious reading the first sentence.

chx’s picture

chx commented
StatusFileSize
new 2535192_3.patch1.77 KB

Wrote more docs. Also, in D7 we had function watchdog($type, $message, $variables = array(), $severity = WATCHDOG_NOTICE, $link = NULL) { in D8 it is possible to set $context['link'] instead but there's nowhere to document this because the LoggerInterface is in vendor.

dawehner’s picture

dawehner
Primary language German
commented 
+++ b/core/lib/Drupal/Core/Logger/LoggerChannelInterface.php
@@ -13,6 +13,19 @@
+ * @see \Drupal\Core\Logger\\LoggerChannelFactoryInterface

Double "\\" :)

Wrote more docs. Also, in D7 we had function watchdog($type, $message, $variables = array(), $severity = WATCHDOG_NOTICE, $link = NULL) { in D8 it is possible to set $context['link'] instead but there's nowhere to document this because the LoggerInterface is in vendor.

Well, let's assume people read that interface you are patching. Then nothing blocks you from providing the same interface method again in our subinterface.
In general try to not be so pessimistic, this time we can actually make sense out of the documentation. The docs in D7 has been also just wrong.
You did not passed in a link, but rather a path / URL.

chx’s picture

chx commented
Title: LoggerChannelInterface doxygen needs a little love » Security: LoggerChannelInterface doxygen needs a little love
Priority: Normal » Major
StatusFileSize
new 2535192_5.patch2.14 KB

> The docs in D7 has been also just wrong. You did not passed in a link, but rather a path / URL.

No, you passed in whatever you wanted and was and still printed as-is. I am not kidding. Check dblog_event in D7 (or any Drupal version you want back to 3.0 or somesuch -- yes, I checked a lot of git history) and DblogController::eventDetails for more (DbLog::log just records it). It is currently broken in syslog as the tags are stripped (and has been stripped since syslog got added to core) and #76588-62: Syslog module's serialization of log components possibly broken tried to fix in 2009 (as I said: I dug up all history relating to this) but the issue simply lies there CNW since.

After some digging I found a usage in D7 modules/book/book.admin.inc:

watchdog('content', 'book: updated %title.', array('%title' => $node->title), WATCHDOG_NOTICE, l(t('view'), 'node/' . $node->nid));

which still exists in D8 core/modules/book/src/Form/BookAdminEditForm.php

$this->logger('content')->notice('book: updated %title.', array('%title' => $node->label(), 'link' => $node->link($this->t('View'))));

and following this, you can search for logger.*link and find a couple dozen usages.

So

  1. It is used.
  2. It is insecure.
  3. It is undocumented.

Purdy! I am raising this to major. The security notice needs a backport, too. Back to whatever versions we still commit patches to :) This is merely a weakness, one that is unlikely to be exploitable since people pass the output of l() to this in D7 and below anyways.

chx’s picture

chx commented
Issue summary: View changes
chx’s picture

chx commented
Issue summary: View changes
chx’s picture

chx commented
Issue summary: View changes
chx’s picture

chx commented
Parent issue: » #2527700: [meta] Improve interface doxygen where it is insufficient
StatusFileSize
new 2535192_9.patch1.37 KB

Opsie, i accidentally patched vendor.

chx’s picture

chx commented
StatusFileSize
new 2535192_10.patch1.42 KB

While discussing how l() is gone from D8 I found LinkGeneratorTrait::l() so I added that to the list.

chx’s picture

chx commented
StatusFileSize
new 2535192_11.patch1.42 KB

scor points out Url using security note so i renamed here as well.

dawehner’s picture

dawehner
Primary language German
commented 
+++ b/core/lib/Drupal/Core/Logger/LoggerChannelInterface.php
@@ -13,6 +13,27 @@
+ * SECURITY NOTE: a 'link' can be set in the context array which will be
+ * printed as-is by the dblog module under an "operations" header. Usually
+ * this is a "view", "edit" or similar relevant link. Make sure to use proper,
+ * secure link generation facilities.

I'm confused because many of the callers in core specify a path there.

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs review » Reviewed & tested by the community

Oh you are absolutely right and I was blind from reading d6 code.

jhodgdon’s picture

jhodgdon
she/her
Primary language English
commented
Status: Reviewed & tested by the community » Needs work

Um....

So I agree the interface docs need some love, but... After reading through these docs I was left with a lot of confusion. Can they get a bit more work please?

  1. +++ b/core/lib/Drupal/Core/Logger/LoggerChannelInterface.php
@@ -13,6 +13,27 @@
+ * This interface is the central Drupal logger facility. Despite this,
+ * \Psr\Log\LoggerInterface should be used for typehinting, not this interface.

    Why should this be done? I have no idea... why would we define this interface and then say not to use it? 

  2. +++ b/core/lib/Drupal/Core/Logger/LoggerChannelInterface.php
@@ -13,6 +13,27 @@
+ * To add a new logger to the system, implement \Psr\Log\LoggerInterface and
+ * add a service for that class to a services.yml file tagged with the 'logger'
+ * tag. The default implementation of this interface will call every such
+ * logger service with some useful context (request_uri, referer, ip, user,
+ * uid).
+ *

    When I read this paragraph, I was confused in the 3rd line by "this interface"... is it referring to LoggerInterface or LoggerChannelInterface? The "this" is ambiguous because there are two interfaces (the one being documented and the one talked about in the paragraph). And I still don't know why we have our own interface here if we're just supposed to implement the PSR interface? Makes no sense to me.

    Actually I have no idea what this paragraph means. I'm sure it makes sense if you already know the information, but I don't and it doesn't... ??? 

  3. +++ b/core/lib/Drupal/Core/Logger/LoggerChannelInterface.php
@@ -13,6 +13,27 @@
+ * SECURITY NOTE: a 'link' can be set in the context array which will be

    What context array? Maybe this is related to one of the methods? If so it should say that and/or be documented on that method?

dawehner’s picture

dawehner
Primary language German
commented

Why should this be done? I have no idea... why would we define this interface and then say not to use it?

That interface is about injecting some things into the logger. This is something the caller of a logger should not care about at all.
On top of that its also better to write code in the smallest interface as possible, as your code gets more compatible with PSR-3

jhodgdon’s picture

jhodgdon
she/her
Primary language English
commented

OK, how about making that comment say something like:

This interface defines the full behavior of the central Drupal logger facility. However, when writing code that does logging, use the generic \Psr\Log\LoggerInterface for typehinting instead (you shouldn't need the methods here).

chx’s picture

chx commented
StatusFileSize
new 2535192_17.patch1.95 KB
chx’s picture

chx commented
Status: Needs work » Needs review
StatusFileSize
new 2535192_18.patch1.6 KB
chx’s picture

chx commented
Issue tags: +Needs backport to D7
jhodgdon’s picture

jhodgdon
she/her
Primary language English
commented
Status: Needs review » Reviewed & tested by the community

Looks good to me now, thanks!

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Fixed
Issue tags: -Needs backport to D7

LoggerChannelInterface's love has been received. Committed 3838074 and pushed to 8.0.x. Thanks!

I think that D7 should have a new issue since this interface does not exist there.

  • alexpott committed 3838074 on 8.0.x 
    Issue #2535192 by chx, dawehner, jhodgdon: Security:...
jhodgdon’s picture

jhodgdon
she/her
Primary language English
commented

Fair enough. D7 follow-up:
#2540830: Sanitize watchdog() link in dblog_event()

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.