Error 500 when hitting any folders inside en/sites/default/files/styles/ [#3063048]

Internal Server Error

Netsparker Cloud identified an internal server error.
The server responded with an HTTP status 500, indicating there is a server-side error. Reasons may vary, and the behavior should be analyzed carefully. If Netsparker Cloud is able to find a security issue in the same resource, it will report this as a separate vulnerability.

When hitting https://domain.com/en/sites/default/files/styles/thumbnail" URL, error 500 is getting displayed. This is happening for all the folders inside styles.
The exact error message is "ArgumentCountError: Too few arguments to function image_style_deliver(), 1 passed in /var/www/html/domain.com/docs/includes/menu.inc on line 527 and exactly 2 expected in image_style_deliver() (line 807 of /var/www/html/domain.com/docs/modules/image/image.module)."

At least 404 page not found should be displayed instead of 500.

Comment	File	Size	Author
#14	3063048-14_test_only.patch	880 bytes	mcdruid
#14	7.x: PHP 7.4 & MySQL 5.7 2,110 pass, 2 fail
#13	3063048-13.patch	2.11 KB	mcdruid
#13	7.x: PHP 7.4 & MySQL 5.7 2,111 pass PHP 5.3 & MySQL 5.5 2,111 pass PHP 5.6 & MySQL 5.5 2,111 pass PHP 7.2 & MySQL 5.6 2,111 pass PHP 7.3 & MySQL 5.7 2,111 pass PHP 7.4 & MySQL 8 2,111 pass PHP 7.4 & SQLite 3.27 2,107 pass PHP 8.0 & MySQL 5.7 2,111 pass PHP 8.1 & sqlite-3.27 2,107 pass
#13	interdiff-3063048-6-13.txt	806 bytes	mcdruid
#6	drupal-fatal-in-styles-folder-3063048-D7.patch	1.25 KB	darkodev
#6	7.x: PHP 7 & MySQL 5.5 2,110 pass PHP 5.3 & MySQL 5.5 2,110 pass PHP 5.6 & MySQL 5.5 2,110 pass PHP 7.2 & MySQL 5.6 2,110 pass PHP 7.3 & MySQL 5.7 2,110 pass PHP 7.4 & MySQL 5.7 2,110 pass PHP 7.4 & MySQL 8 2,110 pass PHP 7.4 & SQLite 3.27 2,106 pass PHP 8.0 & MySQL 5.7 2,110 pass PHP 8.1 & sqlite-3.27 2,106 pass
#3	drupal-fatal-in-styles-folder-3063048-3-D7.patch	533 bytes	asvira
#3	7.x: PHP 7 & MySQL 5.5 2,047 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

20 June 2019 at 14:52

prabha.venkat created an issue. See original summary.

Comment #2

oranges13

she/her

Michigan

CreditAttribution: oranges13 commented 28 June 2019 at 15:57

We received this error as well and it was because a crawl bot was hitting invalid urls on our installation, such as `oururl.com/sites/default/files/styles/large/` with no actual image information.

I agree a more graceful error recovery should probably occur.

Comment #3

asvira CreditAttribution: asvira at DrupalSquad commented 29 June 2019 at 15:34

Status:

Active

» Needs review

File	Size
drupal-fatal-in-styles-folder-3063048-3-D7.patch	533 bytes
7.x: PHP 7 & MySQL 5.5 2,047 pass

This patch makes .../styles/%image_style request to behave in the same way as .../styles/%image_style/public request (403 Access denied).

Comment #4

prabha.venkatesan CreditAttribution: prabha.venkatesan commented 15 October 2019 at 16:07

Thanks for the patch asvira , but the patch is breaking the site. It is throwing 500 error on all the pages at the bottom of the page. Even on the https://domain.com/en/sites/default/files/styles/thumbnail page it is throwing a 500 error along with the 404.
Any other solution would be helpful.

Comment #5

darkodev CreditAttribution: darkodev commented 30 October 2019 at 18:06

Adding to the list of users seeing this error. Netsparker also ran recently on our sites. Will report our findings as we debug . . .

/sites/default/files/styles/large/

results in

ArgumentCountError: Too few arguments to function image_style_deliver(), 1 passed in [...]/includes/menu.inc on line 527 and exactly 2 expected in image_style_deliver() (line 807 of [...]/modules/image/image.module).

On my local dev environment, this throws a generic 404. ~~Perhaps an Apache configuration issue, since we're not seeing more people reporting this issue?~~

Comment #6

darkodev CreditAttribution: darkodev commented 30 October 2019 at 20:33

File	Size
drupal-fatal-in-styles-folder-3063048-D7.patch	1.25 KB
7.x: PHP 7 & MySQL 5.5 2,110 pass PHP 5.3 & MySQL 5.5 2,110 pass PHP 5.6 & MySQL 5.5 2,110 pass PHP 7.2 & MySQL 5.6 2,110 pass PHP 7.3 & MySQL 5.7 2,110 pass PHP 7.4 & MySQL 5.7 2,110 pass PHP 7.4 & MySQL 8 2,110 pass PHP 7.4 & SQLite 3.27 2,106 pass PHP 8.0 & MySQL 5.7 2,110 pass PHP 8.1 & sqlite-3.27 2,106 pass

Adding !empty($scheme) to check for $valid as well as $scheme = NULL works for me. I feel that it can't hurt to check !empty($scheme) since we're already checking !empty($style).

https://www.php.net/manual/en/migration71.incompatible.php

Our site that runs an older version of PHP only emits the warning (so all versions of 7.x core suffer this issue).

So, this warning in PHP < 7.1:
Warning: Missing argument 2 for image_style_deliver(), called in /includes/menu.inc on line 527 and defined in image_style_deliver() (line 807 of /modules/image/image.module).

Becomes this fatal error in PHP >= 7.1:
ArgumentCountError: Too few arguments to function image_style_deliver(), 1 passed in /includes/menu.inc on line 527 and exactly 2 expected in image_style_deliver() (line 807 of /modules/image/image.module).

Comment #7

joelpittet

English

Vancouver

CreditAttribution: joelpittet at The University of British Columbia commented 30 October 2019 at 23:18

Status:

Needs review

» Reviewed & tested by the community

That seems like a reasonable fix, thanks @darkodev, @asvira, and @prabha.venkat

Comment #8

Steven Jones CreditAttribution: Steven Jones at ComputerMinds commented 19 March 2020 at 13:42

This fix works for me, does it need a test though?

Comment #9

sjerdo

Dutch

Haarlem

CreditAttribution: sjerdo at Synetic commented 30 September 2020 at 09:41

Issue tags:

+Drupal 7.74 target

Patch #6 LGTM +1

Comment #10

malcolm_p CreditAttribution: malcolm_p commented 1 December 2020 at 21:26

Working well for me, preventing these server errors with no issue.

Comment #11

webservant316 CreditAttribution: webservant316 commented 24 November 2021 at 13:35

I am seeing this error. Why isn't this patch committed?

Comment #12

mcdruid

🇬🇧🇪🇺

CreditAttribution: mcdruid as a volunteer and at Acquia commented 24 November 2021 at 20:09

Issue tags:

-Drupal 7.74 target

Per #8 it would be good to add a (very basic) test for this.

Comment #13

mcdruid

🇬🇧🇪🇺

CreditAttribution: mcdruid as a volunteer and at Acquia commented 24 November 2021 at 20:58

File	Size
interdiff-3063048-6-13.txt	806 bytes
3063048-13.patch	2.11 KB
7.x: PHP 7.4 & MySQL 5.7 2,111 pass PHP 5.3 & MySQL 5.5 2,111 pass PHP 5.6 & MySQL 5.5 2,111 pass PHP 7.2 & MySQL 5.6 2,111 pass PHP 7.3 & MySQL 5.7 2,111 pass PHP 7.4 & MySQL 8 2,111 pass PHP 7.4 & SQLite 3.27 2,107 pass PHP 8.0 & MySQL 5.7 2,111 pass PHP 8.1 & sqlite-3.27 2,107 pass

Hopefully this'll do.

As we're adding to the helper function which several different tests call, this new code will be run a handful of times. On the one hand perhaps that's overkill, but at least it'll mean more coverage...

I've only manually tested this:

ImageStylesPathAndUrlTestCase::testImageStyleUrlAndPathPublic

...so we'll see if all the other test that call \ImageStylesPathAndUrlTestCase::_testImageStyleUrlAndPath() also behave as expected.

Comment #14

mcdruid

🇬🇧🇪🇺

CreditAttribution: mcdruid as a volunteer and at Acquia commented 24 November 2021 at 21:01

File	Size
3063048-14_test_only.patch	880 bytes
7.x: PHP 7.4 & MySQL 5.7 2,110 pass, 2 fail

Oops forgot the test only patch, which might make things a bit messy.

Also noticed a comment typo (mine) which can be fixed on commit:

// Check that requesting a partial image style path return access denied.

s/return/returns/

Comment #15

24 November 2021 at 21:12

Status:

Reviewed & tested by the community

» Needs work

The last submitted patch, 14: 3063048-14_test_only.patch, failed testing. View results

Comment #16

mcdruid

🇬🇧🇪🇺

CreditAttribution: mcdruid as a volunteer and at Acquia commented 24 November 2021 at 21:32

3 files were hidden/shown/deleted

File	Size
drupal-fatal-in-styles-folder-3063048-3-D7.patch	533 bytes
7.x: PHP 7 & MySQL 5.5 2,047 pass
drupal-fatal-in-styles-folder-3063048-D7.patch	1.25 KB
7.x: PHP 7 & MySQL 5.5 2,110 pass PHP 5.3 & MySQL 5.5 2,110 pass PHP 5.6 & MySQL 5.5 2,110 pass PHP 7.2 & MySQL 5.6 2,110 pass PHP 7.3 & MySQL 5.7 2,110 pass PHP 7.4 & MySQL 5.7 2,110 pass PHP 7.4 & MySQL 8 2,110 pass PHP 7.4 & SQLite 3.27 2,106 pass PHP 8.0 & MySQL 5.7 2,110 pass PHP 8.1 & sqlite-3.27 2,106 pass
3063048-14_test_only.patch	880 bytes
7.x: PHP 7.4 & MySQL 5.7 2,110 pass, 2 fail

Let's see if hiding the test only patch helps show the testbot that we want #13

Comment #17

darkodev CreditAttribution: darkodev commented 24 November 2021 at 22:40

So sorry I didn't pay more attention to the need for a test, and thanks very much to @mcdruid for jumping on it. Respect!

Comment #18

24 November 2021 at 23:14

mcdruid committed e470533 on 7.x

Issue #3063048 by mcdruid, darkodev, asvira: Error 500 when requesting...

Comment #19

mcdruid

🇬🇧🇪🇺

CreditAttribution: mcdruid as a volunteer and at Acquia commented 24 November 2021 at 23:16

Status:

Needs work

» Fixed

Thank you!

Comment #20

8 December 2021 at 23:19

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Error 500 when hitting any folders inside en/sites/default/files/styles/

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Comment #13

Comment #14

Comment #15

Comment #16

Comment #17

Comment #18

Comment #19

Comment #20

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community