#2528988: Remove the option to specify a base_url from within settings.php got committed, so it's time to remove the $base_url check from the Drupal 8 version of Security Review.

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

banviktor created an issue. See original summary.

banviktor’s picture

Assigned: Unassigned » banviktor

I'm aiming to provide a patch for this tomorrow.

banviktor’s picture

Status: Active » Needs review
StatusFileSize
new5.75 KB

Patch added.

Status: Needs review » Needs work

The last submitted patch, 3: 2581071-remove-base-url-check-3.patch, failed testing.

banviktor’s picture

Assigned: banviktor » Unassigned
Status: Needs work » Needs review

Looks like configuration API's requirements in testing have changed in the meantime. Solving that might need a separate issue.

banviktor’s picture

Issue summary: View changes
StatusFileSize
new6.49 KB

This leaves only the langcode problems in.

banviktor’s picture

Status: Needs review » Postponed

The said issue is still pretty active, so maybe we should wait with this.

The last submitted patch, 3: 2581071-remove-base-url-check-3.patch, failed testing.

Status: Postponed » Needs work

The last submitted patch, 6: 2581071-remove-base-url-check-6.patch, failed testing.

banviktor’s picture

Status: Needs work » Postponed
smustgrave’s picture

So what was this postponed for?

greggles’s picture

Status: Postponed » Needs review

I think banviktor was saying that the core api was changing, but that's no longer true so it seems fine to make this back to needs review or needs work.

smustgrave’s picture

Version: 8.x-1.x-dev » 2.0.x-dev
StatusFileSize
new6.48 KB

Rerolled

smustgrave’s picture

bumping this one for the refractor of trusted hosts

greggles’s picture

I noticed this changes the token from @file to !file:

-    $paragraphs[] = $this->t('If the site should be available only at that URL it is recommended that you set it as the $base_url variable in the settings.php file at @file.', ['@file' => $settings_php]);
-    $paragraphs[] = $this->t('If the site has multiple URLs it can respond from you should whitelist host patterns with trusted_host_patterns in settings.php.');
+    $paragraphs[] = $this->t('If the site has multiple URLs it can respond from you should whitelist host patterns with trusted_host_patterns in settings.php at !file.', ['!file' => $settings_php]);

Is that an intentional and required change?

smustgrave’s picture

I couldn't explain why but !file: was causing an error and not being replaced.

smustgrave’s picture

Other then that though does this change still work for you also?

greggles’s picture

I think (?) that's a really important thing to figure out to be sure it's not a pathway for xss.

smustgrave’s picture

Can try to find some php doc but not sure where to look quickly, this is a current bug. It throws an error currently not replacing

ambient.impact’s picture

@smustgrave What's the exact error? It could be that core is seeing it as a URL and thus a potential security issue when used as a replacement of the wrong type.

smustgrave’s picture

Status: Needs review » Needs work

Actually just checked in D10 and no longer seeing the issue will update the patch later.

smustgrave’s picture

Status: Needs work » Needs review
StatusFileSize
new2.54 KB
new6.52 KB

Okay this should be good to go!

  • smustgrave committed c08ab79c on 2.0.x
    Issue #2581071: Remove checking base_url in TrustedHosts check
    
smustgrave’s picture

Status: Needs review » Fixed

Going ahead and merging to keep the ball rolling on the trusted host updates.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.