Problem/Motivation

In the security release for Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-005 https://www.drupal.org/SA-CORE-2016-005
commit http://cgit.drupalcode.org/drupal/commit/?id=c5da97f
http://cgit.drupalcode.org/drupal/diff/core/modules/system/src/MachineNa...

in \Drupal\system\MachineNameController
the exception is attempted to be thrown like

    if (isset($replace_pattern) && isset($replace)) {
      if (!isset($replace_token)) {
        throw new AccessDeniedException("Missing 'replace_token' query parameter.");
      }
      elseif (!$this->tokenGenerator->validate($replace_token, $replace_pattern)) {
        throw new AccessDeniedException("Invalid 'replace_token' query parameter.");
      }

The actual exception message then ends up reading like:
'The file Missing 'replace_token' query parameter. could not be accessed'

Background

(for security team members with access, see https://security.drupal.org/node/160109#comment-132057 please dont request access if you dont have it, this is just to preserve background history)

Steps to reproduce

1. install

2. drush cset system.logging error_level verbose -y
(to turn on error reporting with backtrace)

3. And then go to a page like:
http://localhost:8888/drupal/machine_name/transliterate?text=00000000000...((0)(0)?)*+&replace=_&lowercase=true

Proposed resolution

Use (correct) Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException instead of accidental Symfony\Component\HttpFoundation\File\Exception\AccessDeniedException

Remaining tasks

(done) Investigate
(done) Give command to reproduce that will show what the message actually is.

User interface changes

No

API changes

No

Data model changes

No

CommentFileSizeAuthor
#5 2829791.5.patch3.37 KBYesCT
#5 2829791.5.testsonly.patch1.96 KBYesCT
#5 2829791.5.notestchange.patch1.41 KBYesCT
#2 2829791.2.notapatch.patch1006 bytesYesCT
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

YesCT created an issue. See original summary.

YesCT’s picture

YesCT CreditAttribution: YesCT commented
FileSize
2829791.2.notapatch.patch1006 bytes

to see the exception message

apply this patch (which adds an X to the message) and then run phpunit and it will show the fail.

$ cd core
$ ../vendor/bin/phpunit modules/system/tests/src/Unit/Transliteration/MachineNameControllerTest.php --verbose
PHPUnit 4.8.27 by Sebastian Bergmann and contributors.

Runtime:	PHP 5.6.7
Configuration:	/Users/ctheys/foo/drupal2/core/phpunit.xml.dist

..........F.

Time: 366 ms, Memory: 7.50Mb

There was 1 failure:

1) Drupal\Tests\system\Unit\Transliteration\MachineNameControllerTest::testMachineNameControllerWithInvalidReplacePattern
Failed asserting that exception message 'The file Invalid 'replace_token' query parameter. could not be accessed' contains 'Invalid X 'replace_token' query parameter.'.

FAILURES!
Tests: 12, Assertions: 14, Failures: 1.

note the exception is:
'The file Invalid 'replace_token' query parameter. could not be accessed'
which does't totally make sense.

YesCT’s picture

YesCT CreditAttribution: YesCT commented
Issue summary: View changes

Without a patch, can do:

1. install

2. drush cset system.logging error_level verbose -y
(to turn on error reporting with backtrace)

3. And then go to a page like:
http://localhost:8888/drupal/machine_name/transliterate?text=00000000000...((0)(0)?)*+&replace=_&lowercase=true

then see:

The website encountered an unexpected error. Please try again later.

Symfony\Component\HttpFoundation\File\Exception\AccessDeniedException: The file Missing 'replace_token' query parameter. could not be accessed in Drupal\system\MachineNameController->transliterate() (line 81 of core/modules/system/src/MachineNameController.php).
call_user_func_array(Array, Array) (Line: 123)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->Drupal\Core\EventSubscriber\{closure}() (Line: 574)
Drupal\Core\Render\Renderer->executeInRenderContext(Object, Object) (Line: 124)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->wrapControllerExecutionInRenderContext(Array, Array) (Line: 97)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->Drupal\Core\EventSubscriber\{closure}()
call_user_func_array(Object, Array) (Line: 139)
Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object, 1) (Line: 62)
Symfony\Component\HttpKernel\HttpKernel->handle(Object, 1, 1) (Line: 57)
Drupal\Core\StackMiddleware\Session->handle(Object, 1, 1) (Line: 47)
Drupal\Core\StackMiddleware\KernelPreHandle->handle(Object, 1, 1) (Line: 99)
Drupal\page_cache\StackMiddleware\PageCache->pass(Object, 1, 1) (Line: 78)
Drupal\page_cache\StackMiddleware\PageCache->handle(Object, 1, 1) (Line: 47)
Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle(Object, 1, 1) (Line: 50)
Drupal\Core\StackMiddleware\NegotiationMiddleware->handle(Object, 1, 1) (Line: 23)
Stack\StackedHttpKernel->handle(Object, 1, 1) (Line: 656)
Drupal\Core\DrupalKernel->handle(Object) (Line: 19)

Note the error is
Symfony\Component\HttpFoundation\File\Exception\AccessDeniedException: The file Missing 'replace_token' query parameter. could not be accessed in Drupal\system\MachineNameController->transliterate() (line 81 of core/modules/system/src/MachineNameController.php).

Talking with @alexpott in irc, they note that:

it should be Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException

YesCT’s picture

YesCT CreditAttribution: YesCT commented

I'm gonna take a look at fixing this.

YesCT’s picture

YesCT CreditAttribution: YesCT commented
Title: Improve exception message for MachineNameController replace_token query parameter » Fix exception message for MachineNameController replace_token query parameter
Issue summary: View changes
Status: Active » Needs review
FileSize
2829791.5.notestchange.patch1.41 KB
2829791.5.testsonly.patch1.96 KB
2829791.5.patch3.37 KB

with change to exception,
before fixing test, 

$ ../vendor/bin/phpunit modules/system/tests/src/Unit/Transliteration/MachineNameControllerTest.php
PHPUnit 4.8.27 by Sebastian Bergmann and contributors.

..........FF

Time: 837 ms, Memory: 7.75Mb

There were 2 failures:

fails were:

1) Drupal\Tests\system\Unit\Transliteration\MachineNameControllerTest::testMachineNameControllerWithInvalidReplacePattern
Failed asserting that exception of type "Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException" matches expected exception "Symfony\Component\HttpFoundation\File\Exception\AccessDeniedException". Message was: "Invalid 'replace_token' query parameter." at
#0 /Users/ctheys/foo/drupal2/core/modules/system/tests/src/Unit/Transliteration/MachineNameControllerTest.php(107): Drupal\system\MachineNameController->transliterate(Object(Symfony\Component\HttpFoundation\Request))
...

and

2) Drupal\Tests\system\Unit\Transliteration\MachineNameControllerTest::testMachineNameControllerWithMissingToken
Failed asserting that exception of type "Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException" matches expected exception "Symfony\Component\HttpFoundation\File\Exception\AccessDeniedException". Message was: "Missing 'replace_token' query parameter." at
#0 /Users/ctheys/foo/drupal2/core/modules/system/tests/src/Unit/Transliteration/MachineNameControllerTest.php(117): Drupal\system\MachineNameController->transliterate(Object(Symfony\Component\HttpFoundation\Request))
...

exception message making much more sense now. :)

The last submitted patch, 5: 2829791.5.testsonly.patch, failed testing.

The last submitted patch, 5: 2829791.5.notestchange.patch, failed testing.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan as a volunteer and at PreviousNext commented
Status: Needs review » Reviewed & tested by the community

Thanks

The last submitted patch, 2: 2829791.2.notapatch.patch, failed testing.

The last submitted patch, 2: 2829791.2.notapatch.patch, failed testing.

YesCT’s picture

YesCT CreditAttribution: YesCT commented
Issue tags: +Quick fix

Note those fails are from tests only patches and a sample non-patch. The patch is passing fine.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Status: Reviewed & tested by the community » Fixed

This was just the wrong exception - we should have caught it when we reviewed the security patch - well @YesCT did catch. Nice one :)

Committed and pushed f08a8c8 to 8.3.x and 4d6d7b2 to 8.2.x. Thanks!

  • alexpott committed f08a8c8 on 8.3.x 
    Issue #2829791 by YesCT: Fix exception message for MachineNameController...

  • alexpott committed 4d6d7b2 on 8.2.x 
    Issue #2829791 by YesCT: Fix exception message for MachineNameController...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.