Steps to reproduce

Unauthenticated user tries to install Drupal and specifies invalid `profile`:
https://victim.site/core/install.php?profile=%3Cinvalid%20value%3E

Application responds with an error:

User warning: The following module is missing from the file system: invalidvalue in drupal_get_filename() (line 240 of core/includes/bootstrap.inc).
drupal_get_filename('module', 'invalidvalue') (Line: 263)
drupal_get_path('profile', 'invalidvalue') (Line: 244)
Drupal\Core\Extension\ExtensionDiscovery->setProfileDirectoriesFromSettings() (Line: 157)
Drupal\Core\Extension\ExtensionDiscovery->scan('module') (Line: 148)
drupal_required_modules() (Line: 1087)
install_profile_info('minimal') (Line: 1236)
_install_select_profile(Array) (Line: 440)
install_begin_request(Object, Array) (Line: 114)
install_drupal(Object) (Line: 44)

...

After some time, the application stops working for authenticated users (Denial of Service). Functionality is "fixed" when the following URL is accessed:
http://victim.site/core/install.php?profile=standard

Expectation

Generic error message is shown and application continues working.

What happened

Detailed message is shown and administrator is unable to authenticated and / or access modules.

Comments

kratt created an issue. See original summary.

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Priority: Normal » Major

Nice find! I don't understand how this constitutes a denial of service. But it is a PHP error triggerable with a GET request so it is major priority.

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Title: Invalid installation profile crashes admin functionality » "The following module is missing from the file system" when specifying an invalid install profile as a query parameter

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

quietone’s picture

quietone CreditAttribution: quietone as a volunteer commented
Status: Active » Closed (duplicate)
Issue tags: +Bug Smash Initiative

This is a duplicate of #2840973: Install system should not produce PHP errors. Moved the data from the IS here over there.