Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
For example, when running "Enable/disable modules" test, a 403 Access denied error is reported.
Comment | File | Size | Author |
---|---|---|---|
#43 | 554106-rollback-42.patch | 763 bytes | pwolanin |
#40 | 554106-rollback-40.patch | 763 bytes | pwolanin |
#36 | 554106-rollback-36.patch | 847 bytes | pwolanin |
#34 | 554106-rollback-34.patch | 763 bytes | pwolanin |
#11 | 554106-curl-redirect.patch | 2.46 KB | boombatower |
Comments
Comment #1
dropcube CreditAttribution: dropcube commentedIf a request is redirected to other URL (with a drupal_goto() for example), the same User Agent is passed to the other request, including the request time. If there are multiple redirects, the time window will be lower, and the check in
check in drupal_valid_test_ua()
might fail.Comment #2
sunsubscribing
Comment #3
webchickSubscribing. Need to fix this to turn testing bot back on.
Comment #4
deekayen CreditAttribution: deekayen commentedApparently it causes these specific errors when the modules page doesn't save properly. I can confirm the problem is intermittent, happens on slower testing systems (quad core or worse) and can happen on either PIFR 1 or PIFR 2. It's line 117 that cascades into more errors because it's where the post to save the modules page happens.
CSV simpletest table dump:
Comment #5
sunI develop on a very slow machine, and I'm getting the same failures also for ModuleDependencyTestCase::testEnableWithoutDependency(), which equally tries to post to the module page.
Comment #6
sunBut even when doing
I'm still getting the same errors. I'm rather confused by the returned 403.
Comment #7
boombatower CreditAttribution: boombatower commentedI am assuming this is due to:
Attempting to fix.
Comment #8
boombatower CreditAttribution: boombatower commentedConfirmed by changing the time window in drupal_valid_test_ua().
Supposed to generate a new one every request in curlInitialize(), but curl is handling the redirect since drupal_goto() returns a "Location" header.
This can be fixed by: a) increasing the time window, or b) turning off the auto redirect in curl and doing it ourselves.
Comment #9
dropcube CreditAttribution: dropcube commented@sun: The returned 403 is due to
drupal_valid_test_ua()
time window check. If the time window is consumed in the page process, and a redirection occurs, then the time diff doesn't fit in the time window of the next request.We have these options:
1- Do NOT validate against a time window.
2- Regenerate a new user agent for requests started by simpletest. When the request is redirect, i.e. using drupal_goto(), regenerate a new user agent with the current time instead of the request time.
Option 1 is quicker as easier to implement for now. The attached patch fixes it.
Comment #10
dropcube CreditAttribution: dropcube commentedComment #11
boombatower CreditAttribution: boombatower commentedRemove curl redirect follow and implements inside DWTC.
Comment #12
sunComment #14
boombatower CreditAttribution: boombatower commentedComment #15
deekayen CreditAttribution: deekayen commentedI still kind of like #9 as part of the solution to this. The whole 2 second check thing seems arbitrary. Why not just let it take as long as it takes in case the server happened to have some combination of high CPU, disk I/O, swapping, etc misc load. It's not like the 2 second window has some sort of runaway process kill functionality in it which might be the only useful part of having a counter on it...
Comment #16
sunLet's fix the bug first. That's highly critical, because it blocks many patches and code-freeze is coming.
Comment #17
webchickGreat sleuthing, folks!
Ok, switching testing bot back on....
Comment #18
webchickHm. Damn. No dice.
All of the patches that make it as far as running tests are getting the same failures. Random example:
http://testing.drupal.org/pifr/file/1/11678
Result received from slave #38 (Failed: 13069 passes, 15 fails, 4 exceptions).
Path aliases with translated nodes: 1 fail, 1 exception
Session tests: 1 fail
SimpleTest functionality: 4 fails, 1 exception
UI language negotiation: 9 fails, 2 exceptions
Comment #19
sunok, testbot seems to fail on tests that may expect special treatment of redirects: http://testing.drupal.org/pifr/file/1/11677
Comment #20
sunComment #21
webchickAlso, I decided to revert the previous patch. It might be close, but the situation before the patch was that under some conditions some machines might get 3 failures in the module tests, and the situation after is all machines are getting 15 failures in a number of seemingly unrelated tests. This stage of the core development cycle is the most critical, and I don't want to see core developers wasting time debugging things that are not their fault.
If there's a way to do a dry run on the testing servers with the next patch before it gets marked RTBC, I would really appreciate it. ;)
Comment #22
deekayen CreditAttribution: deekayen commentedWhat's funny is the easiest way to test before would have been to have PIFR 2 to it, but I moved all the clients except my sandbox back to PIFR 1. Maybe amazon will come through with some additional clients.
Comment #23
deekayen CreditAttribution: deekayen commentedEr, nevermind. It'll have to be local. PIFR 2 clients won't pass the self test with core broken (which is why my sandbox client is in failed state in PIFR 2).
Comment #24
dropcube CreditAttribution: dropcube commentedWe can try temporarily with #9, just skip the time window security layer, and then find a solution to the redirect issues.
Comment #25
webchickOk, committed the patch in #9.
Restarting the testing bot again....
Comment #26
webchickYay! I think it's back! :)
I had to disable slave #39, but the rest are coming back with passes. Turning reporting back on.
Thanks for all of your help folks!!!
Comment #30
sunComment #31
Damien Tournoud CreditAttribution: Damien Tournoud commentedErm. Reopening that. We removed the time check instead of increasing it... (why?) thus strongly lowering the security of the system.
If we don't want a time check, we should clean-up the time variable from the token.
Comment #32
Damien Tournoud CreditAttribution: Damien Tournoud commentedWe definitely need the Simpletest tokens to be non-replayable. This patch removed that without any consideration about the risks involved.
Comment #33
pwolanin CreditAttribution: pwolanin commentedindeed - this is really serious. Why was this committed?
#11 looks like it was trying to actually address the problem, not break our security model.
Comment #34
pwolanin CreditAttribution: pwolanin commentedHere's a roll-back patch for #9 accounting for core changes since then.
Comment #35
pwolanin CreditAttribution: pwolanin commentedComment #36
pwolanin CreditAttribution: pwolanin commentedchx asks for a 30 second window (the default PHP timeout) until we fix the curl behavior, etc.
Comment #37
Anonymous (not verified) CreditAttribution: Anonymous commentedlooks good to me, we can adjust if the window is too small.
Comment #38
pwolanin CreditAttribution: pwolanin commentedIt looks like #11 made it into core also? In that case, maybe we are ok with 2 seconds (or something shorter than 30)?
Comment #39
sunIf I'd scan through bootstrap.inc and read this todo, I'd have no idea of what the author was trying to tell here.
Also, remove the leading hyphen and use proper capitalization/punctuation.
Parentheses around inner conditions ($time_diff >= 0) are needless.
40 critical left. Go review some!
Comment #40
pwolanin CreditAttribution: pwolanin commentedin fact looks like that curl fix was already made, so let's try this with ~5 sec?
@sun - I find the parens are more readable (even if they are needless) - and they were in core before. Do we have a code style standard here?
Comment #41
pwolanin CreditAttribution: pwolanin commentedComment #42
sunIf it's really more readable, then why isn't the last condition wrapped in parentheses? :)
EDIT: on a second read, all additional parentheses are needless on this line.
Sorry, I can't RTBC, not familiar enough with this code.
Comment #43
pwolanin CreditAttribution: pwolanin commentedThere seems to be no real standard on the use of parens - so I favor them if they add readability.
see:
http://api.drupal.org/api/function/drupal_valid_token/7
http://api.drupal.org/api/function/drupal_is_cli/7
http://api.drupal.org/api/function/drupal_page_is_cacheable/7
Given that this is essentially just rolling back a commit above , I think it's RTBC as long as the tests pass (which was the reason for this issue in any case).
Comment #44
webchickReally sorry. :( I remember being in a bit of a desperate state trying to get testbot back on at the time this was committed, and didn't fully take in the ramifications of this patch.
Committed to HEAD!