Block request path condition can cause WSOD for the homepage [#2712581]

Problem/Motivation

Removing the "access content" permission from anonymous users, and having any block with a path condition will cause a fatal error on the homepage. This happens because of the following code in Drupal\system\Plugin\Condition\RequestPath::evaluate().

    // Compare the lowercase path alias (if any) and internal path.
    $path = rtrim($this->currentPath->getPath($request), '/');

    $path_alias = Unicode::strtolower($this->aliasManager->getAliasByPath($path));

For the anonymous user, when they don't have access to the homepage, currentPath is set to "/". That makes sense. Unfortunately, the rtrim() removes the / and passes an empty string to AliasManagerInterface::getAliasByPath(). This causes a fatal error and everything comes to a screeching halt.

Steps to reproduce

Remove the "View published content (access content)" permission from the anonymous user
Set the homepage to any path that requires that permission (eg: /node)
Create and place a block with any request path condition
Visit the homepage as an anonymous user

Proposed resolution

Set the path to "/" after the rtrim() if it is an empty string. It's expected behavior for AliasManagerInterface::getAliasByPath() to throw an exception if the path doesn't start with a slash, so the responsibility is on the RequestPath condition plugin.

Remaining tasks

Review the patch.

User interface changes

None

API changes

None

Data model changes

None

Comment	File	Size	Author
#3	2712581-block_request_path_causes_fatal_on_homepage-1.patch	876 bytes	codexmas
#3	8.1.x: PHP 5.5 & MySQL 5.5 Patch failed to apply
#2	2712581-block_request_path_causes_fatal_on_homepage.patch	871 bytes	rbayliss
#2	8.1.x: PHP 5.5 & MySQL 5.5 18,535 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

24 April 2016 at 19:31

rbayliss created an issue. See original summary.

Comment #2

rbayliss CreditAttribution: rbayliss at Last Call Media commented 24 April 2016 at 19:32

Status:

Active

» Needs review

File	Size
2712581-block_request_path_causes_fatal_on_homepage.patch	871 bytes
8.1.x: PHP 5.5 & MySQL 5.5 18,535 pass

Comment #3

codexmas CreditAttribution: codexmas at Acquia commented 5 May 2016 at 20:54

File	Size
2712581-block_request_path_causes_fatal_on_homepage-1.patch	876 bytes
8.1.x: PHP 5.5 & MySQL 5.5 Patch failed to apply

I have encountered the same issue and can validate that your patch fixes the issue.
My patch is apparently not digestible, deferring to yours.

Comment #4

5 May 2016 at 20:24

Status:

Needs review

» Needs work

The last submitted patch, 3: 2712581-block_request_path_causes_fatal_on_homepage-1.patch, failed testing.

Comment #5

codexmas CreditAttribution: codexmas at Acquia commented 5 May 2016 at 20:54

Status:

Needs work

» Reviewed & tested by the community

1 file was hidden/shown/deleted

File	Size
2712581-block_request_path_causes_fatal_on_homepage-1.patch	876 bytes
8.1.x: PHP 5.5 & MySQL 5.5 Patch failed to apply

Patch tested and works

Comment #6

catch

he/him

English

CreditAttribution: catch at Third and Grove commented 6 May 2016 at 10:53

Priority:	Normal	» Major
Status:	Reviewed & tested by the community	» Needs work
Issue tags:		+Needs tests

+++ b/core/modules/system/src/Plugin/Condition/RequestPath.php
@@ -147,7 +147,10 @@ public function evaluate() {
+    if(strlen($path) > 1) {

We should rtrim first, then just replace an empty string with a forward slash if there is one since that's the much less common case.

Also this needs test coverage.

And bumping to major - while it's not particularly easy to run into this, it's possible to configure yourself into a fatal error from the UI which is not good.