- ๐บ๐ธUnited States smustgrave
This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request โ as a guide.
Changed this to more a feature request.
Love the idea of more details!
At this time we will need a D10 version that may need to be updated for D10 and php8.Please do not reroll without testing first.
- Status changed to Needs review
almost 2 years ago 3:49am 25 January 2023 - Status changed to RTBC
almost 2 years ago 2:43pm 25 January 2023 - ๐บ๐ธUnited States smustgrave
@Abhisheksingh27 again please include an interdiff or diff with patches.
Change looks fine though
- Status changed to Needs review
almost 2 years ago 11:48pm 25 January 2023 - ๐บ๐ธUnited States xjm
Immediate question I have reading this code:
+++ b/core/lib/Drupal/Component/PhpStorage/FileStorage.php @@ -120,7 +120,7 @@ protected function createDirectory($directory, $mode = 0777) { - trigger_error('mkdir(): Permission Denied', E_USER_WARNING); + trigger_error(sprintf('mkdir(%s): Permission Denied', $directory), E_USER_WARNING);
This isn't going to disclose the secret PHP storage hash, is it? Core's default, shared-hosting-friendly setup relies on security through obscurity for that directory. Is
$directory
here the parent or the actual directory?Looking at the code, I think it's the actual directory. The preceding lines are:
// If parent exists, try to create the directory and ensure to set its // permissions, because mkdir() obeys the umask of the current process. if ($parent_exists) { // We hide warnings and ignore the return because there may have been a // race getting here and the directory could already exist. @mkdir($directory); // Only try to chmod() if the subdirectory could be created. if (is_dir($directory)) { // Avoid writing permissions if possible. if (fileperms($directory) !== $mode) { return chmod($directory, $mode); } return TRUE; } else { // Something failed and the directory doesn't exist.
I think this directory path might include the secret file storage hash, and if so, it could reduce security to have this in logs -- or, worse, displayed to the UI if the web server isn't properly configured.
Tagging for security review and manual testing to verify whether this is OK or not.
- ๐บ๐ธUnited States dww
Could we rely on
$config['system.logging']['error_level'] = 'verbose';
and only print the details if
settings.php
and friends ask us to?It does seem risky to print full server path names in exception messages that could potentially be displayed all over the place. Definitely agree with @xjm in #23. I haven't reviewed any code or done any testing, leaving all tags for now.
Thanks,
-Derek - ๐บ๐ธUnited States smustgrave
Posted in security-discussion to see if anyone can take a look.
Though #24 may be a good compromise?
- ๐ฌ๐งUnited Kingdom longwave UK
I agree there could be a risk here in information disclosure. As this is in a component that is designed to be used outside of Drupal core, we also can't rely on Drupal config to determine whether to give more information.
If
createDirectory()
fails,ensureDirectory()
does nothing. Is this also a bug? Ultimately it should probably be the caller ofsave()
that reports an error to the user, although without refactoring all this to use exceptions instead, it's not going to be possible for higher level callers to tell exactly what the error was. - ๐บ๐ธUnited States smustgrave
Tagging for framework review to see if it's worth doing
Ultimately it should probably be the caller of save() that reports an error to the user, although without refactoring all this to use exceptions instead, it's not going to be possible for higher level callers to tell exactly what the error was.
- ๐ฆ๐บAustralia larowlan ๐ฆ๐บ๐.au GMT+10
I don't think its worth reworking the component to throw errors, so inclined to mark this as won't fix
- ๐บ๐ธUnited States dww
Yeah, I hadnโt looked at the code at all. If this is a Component(tm), I rescind my previous suggestion ๐
In that case, +1 to wonโt fix.
- ๐ฆ๐บAustralia klonos 90% Melbourne, Australia - 10% Larissa, Greece
I also agree with won't-fixing this if the security concerns apply, however, to avoid someone raising the same issue to propose this in the future (because they aren't aware that this has been raised/discussed/decided before), should we at the very least add an inline comment to those 2 places stating that the directory name is intentionally NOT disclosed for security reasons?
Perhaps also add to that inline comment something about what the alternative is, in which case I find the "it should probably be the caller of save() that reports an error to the user" phrase by @longwave above to be short and to the point. So perhaps tweak that and use it?
- ๐บ๐ธUnited States dww
Sure, I guess an inline comment could be ok. But the caller of save() apparently wonโt know the reason, either, since this component doesnโt throw exceptions, and weโre saying itโs not worth adding that.
- ๐บ๐ธUnited States dww
Although, if we added a comment to core about every idea we considered and decided against, thereโd be more comments than code. ๐
- Status changed to Closed: won't fix
almost 2 years ago 2:42pm 3 March 2023 - ๐บ๐ธUnited States smustgrave
So reading the comments this appears to be a won't fix. If anyone feels strongly for comments would open a follow up referencing this ticket. But As @dww mentioned that could lead to a lot of comments.
- ๐ฆ๐บAustralia klonos 90% Melbourne, Australia - 10% Larissa, Greece
FTR, I don't feel strongly re adding inline comments, but just wanted to say that more inline comments in not a bad thing, and that at the end of the day it'll be either more comments, or more potential confusion and more (duplicate) issues raised ๐คทโโ๏ธ
- Status changed to Active
over 1 year ago 1:16pm 21 July 2023 - First commit to issue fork.
- last update
over 1 year ago 29,840 pass - @anpel opened merge request.
- Status changed to Needs review
over 1 year ago 3:43pm 21 July 2023 I added the comment lines and linked to this issue. Please let me know if I should rephrase.
- Status changed to RTBC
over 1 year ago 7:09pm 22 July 2023 - ๐บ๐ธUnited States smustgrave
Think change looks good. And matches IS.
- last update
over 1 year ago 29,878 pass - last update
over 1 year ago 29,880 pass 32:26 29:25 Running- last update
over 1 year ago 29,908 pass - ๐จ๐ญSwitzerland znerol
Please update the issue summary and bring it inline with the changes proposed in the merge request.
- last update
over 1 year ago 29,911 pass - last update
over 1 year ago 29,946 pass - last update
over 1 year ago 29,928 pass, 2 fail - last update
over 1 year ago 29,953 pass - last update
over 1 year ago 29,953 pass - last update
over 1 year ago 29,958 pass - last update
over 1 year ago 29,958 pass - last update
over 1 year ago 29,959 pass - last update
over 1 year ago 29,967 pass - last update
over 1 year ago 30,049 pass - last update
over 1 year ago 30,056 pass 32:55 28:55 Running- Status changed to Needs work
over 1 year ago 10:41am 23 August 2023 - ๐ณ๐ฟNew Zealand quietone
I'm triaging RTBC issues โ .
I read the issue summary and skimmed the comments. This proposed resolution is out of date, as reported in #24. I am setting this to Needs work for that. I also commented on the MR, that needs work as well. Both these tasks are suitable for 'Novice', so I am leaving the tag.
For anyone unfamiliar with issue summary updates, this should help, Write an issue summary for an existing issue โ .
- First commit to issue fork.
39:53 38:45 Running