Comment in \Drupal\Component\PhpStorage\FileStorage::createDirectory() that additional information is not included for security reasons

Created on 13 February 2019, almost 6 years ago
Updated 26 September 2023, about 1 year ago

Problem/Motivation

Right now, when a folder cannot be created, it tells us that it cannot. But it doesn't say what folder it is. Let's add that context so it is more clear what is happening and what folder couldn't be created.

Proposed resolution

Add the folder being created do the trigger_error.

Remaining tasks

Issue Summary Update
Work on the MR
Review
Commit

User interface changes

API changes

Data model changes

Release notes snippet

๐Ÿ“Œ Task
Status

Needs work

Version

11.0 ๐Ÿ”ฅ

Component
Baseย  โ†’

Last updated 1 day ago

Created by

heddn Nicaragua

Live updates comments and jobs are added and updated live.
  • Novice

    It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request โ†’ as a guide.

    Changed this to more a feature request.

    Love the idea of more details!
    At this time we will need a D10 version that may need to be updated for D10 and php8.

    Please do not reroll without testing first.

  • Status changed to Needs review almost 2 years ago
  • ๐Ÿ‡ฎ๐Ÿ‡ณIndia Abhisheksingh27

    Adding reroll for 10.1.x

  • Status changed to RTBC almost 2 years ago
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    @Abhisheksingh27 again please include an interdiff or diff with patches.

    Change looks fine though

  • Status changed to Needs review almost 2 years ago
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States xjm

    Immediate question I have reading this code:

    +++ b/core/lib/Drupal/Component/PhpStorage/FileStorage.php
    @@ -120,7 +120,7 @@ protected function createDirectory($directory, $mode = 0777) {
    -        trigger_error('mkdir(): Permission Denied', E_USER_WARNING);
    +        trigger_error(sprintf('mkdir(%s): Permission Denied', $directory), E_USER_WARNING);
    

    This isn't going to disclose the secret PHP storage hash, is it? Core's default, shared-hosting-friendly setup relies on security through obscurity for that directory. Is $directory here the parent or the actual directory?

    Looking at the code, I think it's the actual directory. The preceding lines are:

       // If parent exists, try to create the directory and ensure to set its      
        // permissions, because mkdir() obeys the umask of the current process.     
        if ($parent_exists) {
          // We hide warnings and ignore the return because there may have been a   
          // race getting here and the directory could already exist.               
          @mkdir($directory);
          // Only try to chmod() if the subdirectory could be created.              
          if (is_dir($directory)) {
            // Avoid writing permissions if possible.                               
            if (fileperms($directory) !== $mode) {
              return chmod($directory, $mode);
            }
            return TRUE;
          }
          else {
            // Something failed and the directory doesn't exist.  
    

    I think this directory path might include the secret file storage hash, and if so, it could reduce security to have this in logs -- or, worse, displayed to the UI if the web server isn't properly configured.

    Tagging for security review and manual testing to verify whether this is OK or not.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States dww

    Could we rely on

    $config['system.logging']['error_level'] = 'verbose';
    

    and only print the details if settings.php and friends ask us to?

    It does seem risky to print full server path names in exception messages that could potentially be displayed all over the place. Definitely agree with @xjm in #23. I haven't reviewed any code or done any testing, leaving all tags for now.

    Thanks,
    -Derek

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    Posted in security-discussion to see if anyone can take a look.

    Though #24 may be a good compromise?

  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom longwave UK

    I agree there could be a risk here in information disclosure. As this is in a component that is designed to be used outside of Drupal core, we also can't rely on Drupal config to determine whether to give more information.

    If createDirectory() fails, ensureDirectory() does nothing. Is this also a bug? Ultimately it should probably be the caller of save() that reports an error to the user, although without refactoring all this to use exceptions instead, it's not going to be possible for higher level callers to tell exactly what the error was.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    Tagging for framework review to see if it's worth doing

    Ultimately it should probably be the caller of save() that reports an error to the user, although without refactoring all this to use exceptions instead, it's not going to be possible for higher level callers to tell exactly what the error was.

  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia larowlan ๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ.au GMT+10

    I don't think its worth reworking the component to throw errors, so inclined to mark this as won't fix

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States dww

    Yeah, I hadnโ€™t looked at the code at all. If this is a Component(tm), I rescind my previous suggestion ๐Ÿ˜…

    In that case, +1 to wonโ€™t fix.

  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia klonos 90% Melbourne, Australia - 10% Larissa, Greece

    I also agree with won't-fixing this if the security concerns apply, however, to avoid someone raising the same issue to propose this in the future (because they aren't aware that this has been raised/discussed/decided before), should we at the very least add an inline comment to those 2 places stating that the directory name is intentionally NOT disclosed for security reasons?

    Perhaps also add to that inline comment something about what the alternative is, in which case I find the "it should probably be the caller of save() that reports an error to the user" phrase by @longwave above to be short and to the point. So perhaps tweak that and use it?

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States dww

    Sure, I guess an inline comment could be ok. But the caller of save() apparently wonโ€™t know the reason, either, since this component doesnโ€™t throw exceptions, and weโ€™re saying itโ€™s not worth adding that.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States dww

    Although, if we added a comment to core about every idea we considered and decided against, thereโ€™d be more comments than code. ๐Ÿ˜‚

  • Status changed to Closed: won't fix almost 2 years ago
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    So reading the comments this appears to be a won't fix. If anyone feels strongly for comments would open a follow up referencing this ticket. But As @dww mentioned that could lead to a lot of comments.

  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia klonos 90% Melbourne, Australia - 10% Larissa, Greece

    FTR, I don't feel strongly re adding inline comments, but just wanted to say that more inline comments in not a bad thing, and that at the end of the day it'll be either more comments, or more potential confusion and more (duplicate) issues raised ๐Ÿคทโ€โ™‚๏ธ

  • Status changed to Active over 1 year ago
  • First commit to issue fork.
  • last update over 1 year ago
    29,840 pass
  • @anpel opened merge request.
  • Status changed to Needs review over 1 year ago
  • I added the comment lines and linked to this issue. Please let me know if I should rephrase.

  • Status changed to RTBC over 1 year ago
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    Think change looks good. And matches IS.

  • last update over 1 year ago
    29,878 pass
  • last update over 1 year ago
    29,880 pass
  • 32:26
    29:25
    Running
  • last update over 1 year ago
    29,908 pass
  • ๐Ÿ‡จ๐Ÿ‡ญSwitzerland znerol

    Please update the issue summary and bring it inline with the changes proposed in the merge request.

  • last update over 1 year ago
    29,911 pass
  • last update over 1 year ago
    29,946 pass
  • last update over 1 year ago
    29,928 pass, 2 fail
  • last update over 1 year ago
    29,953 pass
  • last update over 1 year ago
    29,953 pass
  • last update over 1 year ago
    29,958 pass
  • last update over 1 year ago
    29,958 pass
  • last update over 1 year ago
    29,959 pass
  • last update over 1 year ago
    29,967 pass
  • last update over 1 year ago
    30,049 pass
  • last update over 1 year ago
    30,056 pass
  • 32:55
    28:55
    Running
  • Status changed to Needs work over 1 year ago
  • ๐Ÿ‡ณ๐Ÿ‡ฟNew Zealand quietone

    I'm triaging RTBC issues โ†’ .

    I read the issue summary and skimmed the comments. This proposed resolution is out of date, as reported in #24. I am setting this to Needs work for that. I also commented on the MR, that needs work as well. Both these tasks are suitable for 'Novice', so I am leaving the tag.

    For anyone unfamiliar with issue summary updates, this should help, Write an issue summary for an existing issue โ†’ .

  • ๐Ÿ‡ณ๐Ÿ‡ฟNew Zealand quietone

    Trying for a better title

  • First commit to issue fork.
  • 39:53
    38:45
    Running
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States xjm

    Fixing attribution.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States xjm

    And hiding old patch files for clarity.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States xjm
Production build 0.71.5 2024