Problem/Motivation
In the security release for Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-005 https://www.drupal.org/SA-CORE-2016-005
commit http://cgit.drupalcode.org/drupal/commit/?id=c5da97f
http://cgit.drupalcode.org/drupal/diff/core/modules/system/src/MachineNa...
in \Drupal\system\MachineNameController
the exception is attempted to be thrown like
if (isset($replace_pattern) && isset($replace)) {
if (!isset($replace_token)) {
throw new AccessDeniedException("Missing 'replace_token' query parameter.");
}
elseif (!$this->tokenGenerator->validate($replace_token, $replace_pattern)) {
throw new AccessDeniedException("Invalid 'replace_token' query parameter.");
}
The actual exception message then ends up reading like:
'The file Missing 'replace_token' query parameter. could not be accessed'
Background
(for security team members with access, see https://security.drupal.org/node/160109#comment-132057 please dont request access if you dont have it, this is just to preserve background history)
Steps to reproduce
1. install
2. drush cset system.logging error_level verbose -y
(to turn on error reporting with backtrace)
3. And then go to a page like:
http://localhost:8888/drupal/machine_name/transliterate?text=00000000000...((0)(0)?)*+&replace=_&lowercase=true
Proposed resolution
Use (correct) Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException instead of accidental Symfony\Component\HttpFoundation\File\Exception\AccessDeniedException
Remaining tasks
(done) Investigate
(done) Give command to reproduce that will show what the message actually is.
User interface changes
No
API changes
No
Data model changes
No
Comment | File | Size | Author |
---|---|---|---|
#5 | 2829791.5.patch | 3.37 KB | YesCT |
#5 | 2829791.5.testsonly.patch | 1.96 KB | YesCT |
#5 | 2829791.5.notestchange.patch | 1.41 KB | YesCT |
#2 | 2829791.2.notapatch.patch | 1006 bytes | YesCT |
Comments
Comment #2
YesCT CreditAttribution: YesCT commentedto see the exception message
apply this patch (which adds an X to the message) and then run phpunit and it will show the fail.
note the exception is:
'The file Invalid 'replace_token' query parameter. could not be accessed'
which does't totally make sense.
Comment #3
YesCT CreditAttribution: YesCT commentedWithout a patch, can do:
1. install
2. drush cset system.logging error_level verbose -y
(to turn on error reporting with backtrace)
3. And then go to a page like:
http://localhost:8888/drupal/machine_name/transliterate?text=00000000000...((0)(0)?)*+&replace=_&lowercase=true
then see:
Note the error is
Symfony\Component\HttpFoundation\File\Exception\AccessDeniedException: The file Missing 'replace_token' query parameter. could not be accessed in Drupal\system\MachineNameController->transliterate() (line 81 of core/modules/system/src/MachineNameController.php).
Talking with @alexpott in irc, they note that:
Comment #4
YesCT CreditAttribution: YesCT commentedI'm gonna take a look at fixing this.
Comment #5
YesCT CreditAttribution: YesCT commentedwith change to exception,
before fixing test,
fails were:
and
exception message making much more sense now. :)
Comment #8
larowlanThanks
Comment #11
YesCT CreditAttribution: YesCT commentedNote those fails are from tests only patches and a sample non-patch. The patch is passing fine.
Comment #12
alexpottThis was just the wrong exception - we should have caught it when we reviewed the security patch - well @YesCT did catch. Nice one :)
Committed and pushed f08a8c8 to 8.3.x and 4d6d7b2 to 8.2.x. Thanks!