Contrib.social

File inclusion weakness in stream wrappers, and StreamWrapperInterface composite constants are not clearly documented or tested for correctness

Open on Drupal.org β†’
Created on 30 June 2015, over 9 years ago
Updated 30 January 2023, almost 2 years ago

Problem/Motivation

Since #942690: Security harden stream wrappers by defaulting them as remote β†’

\Drupal\Core\StreamWrapper\PrivateStream and \Drupal\Core\StreamWrapper\PublicStream

have:

  /**
   * {@inheritdoc}
   */
  public static function getType() {
    return StreamWrapperInterface::LOCAL_NORMAL;
  }

This means public and private file uploads could be included as PHP files. This is a security weakness that seems to have been added by mistake and shoudl be remediated.

Also, StreamWrapperInterface uses class constants which , before PHP 5.6.0 do not support expressions so unlike D7 they are calculated, and it' not clear they are correct in all cases.

D7 uses defines and so it does for NORMAL:

 define('STREAM_WRAPPERS_WRITE_VISIBLE', STREAM_WRAPPERS_READ | STREAM_WRAPPERS_WRITE | STREAM_WRAPPERS_VISIBLE)

We should add documentation and tests to verify these calculations are correct.

Proposed resolution

Add tests to insure that each constant that is a combination is correctly calculated to match the component parts.

Remaining tasks

Add tests
review

User interface changes

none

API changes

change stream wrapper types back to not be "local" to avoid possibly security vulnerabilities.

Data model changes

none

Reported by chx as part of the Drupal 8 security bug bounty

https://tracker.bugcrowd.com/submissions/58ebf88424951cadfcd1c3146d6dfc2...

Beta phase evaluation

<!--Uncomment the relevant rows for the issue. -->
πŸ› Bug report
Status

Needs work

Version

9.5

Component
File systemΒ  β†’

Last updated about 3 hours ago

Created by

πŸ‡ΊπŸ‡ΈUnited States pwolanin

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago β†’
    needs-review-queue-bot

    The Needs Review Queue Bot β†’ tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024