Problem/Motivation

https://www.drupal.org/sa-core-2022-014 improved handling of dot files in the case that htaccess is in the list of allowed extensions. However Drupal 7 will always rename dot files. I think Drupal 9 and 10 should have the same behaviour - for example uploading a .htpasswd file could have interesting consequences.

The problem is that

    // Dot files are renamed regardless of security settings.
    $filename = trim($filename, '.');

is not actually true because further down the method we do an early exit if we think file_validate_extensions() is going to reject it. But unfortunately the logic in file_validate_extensions() and this method are not 100% the same. At some point we should add a static method that file_validate_extensions() calls so we can be sure that the logic is 100% the same.

However in this case the fix is simpler we should do

    if ($filename !== $event->getFilename()) {
      $event->setFilename($filename)->setSecurityRename();
    }

immediately after the trim to make the comment correct. In fact this should go after the null byte removal as both of these parts are security related.

Steps to reproduce

Allow files with the htpasswd extension and then upload a file called .htpasswd

Proposed resolution

Always rename dot files.

Remaining tasks

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

N/a

CommentFileSizeAuthor
#2 3302448-2.patch3.68 KBalexpott

Issue fork drupal-3302448

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

alexpott created an issue. See original summary.

alexpott’s picture

Status: Active » Needs review
StatusFileSize
new3.68 KB

Status: Needs review » Needs work

The last submitted patch, 2: 3302448-2.patch, failed testing. View results

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

prudloff made their first commit to this issue’s fork.

prudloff’s picture

Status: Needs work » Needs review

I did a quick manual test and I think this is still a concern.

I rebased the patch.
I'm not sure the failing AssetAggregationAcrossPagesTest is related?

borisson_’s picture

Status: Needs review » Reviewed & tested by the community

I don't see why that test would start failing, and I can't find an issue about it having random failures. Since this a security hardening I think we should move this through.

quietone’s picture

Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs title update

This should have a title that has meaning that includes people who only know Drupal 8 and above. As is, the title, and thus the commit message, only makes sense for those that know what Drupal 7 did. Therefor, tagging for a title update.

alexpott’s picture

Title: Always rename dot files like Drupal 7 » Always rename dot files regardless of the configured file extensions
Status: Needs work » Reviewed & tested by the community
greggles’s picture

Title: Always rename dot files regardless of the configured file extensions » Always rename dot files regardless of the configured file extensions creating defense in depth

Seems good to add the "why" - it's about extra security through defense in depth

borisson_’s picture

Issue tags: -Needs title update

Removing the tag, title looks great now.

  • longwave committed 56fe980b on 11.x
    Issue #3302448 by prudloff, alexpott: Always rename dot files regardless...
longwave’s picture

Version: 11.x-dev » 10.6.x-dev
Status: Reviewed & tested by the community » Patch (to be ported)

This change makes sense to me and simplifies the code path a bit while making things more secure, so good all round.

Committed 56fe980 and pushed to 11.x. Thanks!

As this is a minor behaviour change, but also a security improvement, I'm on the fence somewhat about backporting to 11.2.x. This is definitely eligible for 10.6.x (and perhaps 10.5.x if we also commit to 11.2.x), but the MR doesn't apply, so marking PTBP so we can decide what to do next here.

longwave’s picture

Version: 10.6.x-dev » 11.3.x-dev
Status: Patch (to be ported) » Fixed

This never got backported, let's just mark it as fixed in 11.3.

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.