Test follow up for SA-CORE-2023-005

Created on 24 December 2024, about 23 hours ago

Problem/Motivation

Public follow up to improve tests and documentation after SA-CORE-2023-005 was released.

Redacted copy paste below, some items might not be relevant anymore:

+++ b/core/assets/scaffold/files/default.settings.php
@@ -531,6 +531,25 @@
+# $settings['file_sa_core_2023_005_schemes'] = ['porcelain'];

The default value of "porcelain" confused me at first because I thought it was a meaningful technical term (as in "porcelain diff" in git). After re-reading the docblock I realize it is just example code. The docblock does not make it clear that "porcelain" is just an example of a totally custom scheme -- it's implied from the use of the words "china" and "plate", but not stated explicitly, and might be especially difficult for folks who don't have English as a first language to grasp.

It might be better for it to be "example" or something? With the full path as example://example_path/filename.png?

+++ b/core/modules/file/tests/src/Functional/FileAccessTest.php
@@ -0,0 +1,94 @@
+    // treat '#' as separating a fragment. Do not test '?' since that is not a
+    // valid filename character on Windows.

We could conditionally test ? on not-Windows? Or test that ? is disallowed? It's unclear to me whether or not we expect ? to not be in the data at this point or if we are just ignoring it for the test because we want environment-agnostic tests.

+++ b/core/modules/file/tests/src/Functional/FileAccessTest.php
@@ -0,0 +1,94 @@
+      // must also include the script prefix, because Apache is configured to not

Over 80 chars.

+++ b/core/modules/file/tests/src/Kernel/PathTraversalTest.php
@@ -0,0 +1,61 @@
+   *   The file path to test, including the stream wrapper scheme prefix (e.g.
+   *   'public://foo/bar.txt'.

+++ b/core/tests/Drupal/KernelTests/Core/StreamWrapper/StreamWrapperManagerTest.php
@@ -60,4 +91,99 @@ public function providerTestUriScheme() {
+   *   The file path to test, including the stream wrapper scheme prefix (e.g.
+   *   'public://foo/bar.txt'.

Unclosed parenthesis.

+++ b/core/modules/image/src/Controller/ImageStyleDownloadController.php
@@ -123,8 +137,13 @@ public function deliver(Request $request, $scheme, ImageStyleInterface $image_st
+    // Previous versions of the code generated the URL with a token based on the
+    // URI before it was normalized. Those URLs may be cached, so consider the
+    // token valid if it matches one based on the original or normalized URI.
+    // @see Drupal\image\Entity\ImageStyle::buildUrl().
     $token = $request->query->get(IMAGE_DERIVATIVE_TOKEN, '');
-    $token_is_valid = hash_equals($image_style->getPathToken($image_uri), $token);
+    $token_is_valid = hash_equals($image_style->getPathToken($image_uri), $token)
+      || hash_equals($image_style->getPathToken($scheme . '://' . $target), $token);

My kneejerk reading the code comment here was "We should just be invalidating old caches rather than supporting them" -- is "cache" the right word here?

+++ b/core/tests/Drupal/KernelTests/Core/StreamWrapper/StreamWrapperManagerTest.php
@@ -23,6 +27,22 @@ class StreamWrapperManagerTest extends KernelTestBase {
+  protected $scheme = 'dummy-external-readonly';
...
+  protected $classname = 'Drupal\file_test\StreamWrapper\DummyExternalReadOnlyWrapper';

"Dummy" is an ableist word.

+++ b/core/tests/Drupal/KernelTests/Core/StreamWrapper/StreamWrapperManagerTest.php
@@ -60,4 +91,99 @@ public function providerTestUriScheme() {
+   * Tests that normalizeUri resolves relative paths.
...
+   * Tests that normalizeUri exceptions apply only to local schemes.

::normalizeUr() should have parens and at least a double colon prefix since it is not a global function; probably the class name also.

+++ b/core/tests/Drupal/KernelTests/Core/StreamWrapper/StreamWrapperNormalizationTestTrait.php
@@ -0,0 +1,272 @@
+ * DataProvider for relative path tests.

"Data provider", not "DataProvider".

+++ b/core/tests/Drupal/KernelTests/Core/StreamWrapper/StreamWrapperNormalizationTestTrait.php
@@ -0,0 +1,272 @@
+      // We include the query and fragment tests from 5.4.2
+      // however query('?') and fragment('#') characters are not subject to
+      // special processing as part of a filesystem path.  We deviate from the
+      // RFC examples by validating normalization is done after these
+      // characters in a file path.

Very minor issue with early wrapping, a double space after the period, and missing punctuation;

+++ b/core/assets/scaffold/files/default.settings.php
@@ -531,6 +531,25 @@
+ * File schemes whose paths should not be normalized:

This should end with a period, not a colon, but this is very unimportant.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Background information

πŸ“Œ Task
Status

Active

Version

11.0 πŸ”₯

Component

file system

Created by

πŸ‡§πŸ‡ͺBelgium BramDriesen Belgium πŸ‡§πŸ‡ͺ

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024