Contrib.social

SqliteConfigForm::validateForm does not correctly test real paths

Open on Drupal.org →
Created on 19 May 2025, 2 months ago

Problem/Motivation

As part of the form validation the directory to host the sqlite VDB is made sure not to be publicly accessible. This is great, but it does so testing if a fake db called verify-downloadable.sqlite.sql is accessible.
The problematic part is the call to \Drupal::service('file_system')->realpath($test_db_path) because at that point $test_db_path contains the filename but the database has not been created. for normal paths without a stream-wrapper (like public:// or private://) this falls back to realpath.
But that returns false for files that don't exist, so then \Drupal\ai_vdb_provider_sqlite\Form\SqliteConfigForm::isFilePubliclyAccessible gets called with FALSE. But a quirk in php makes it so that if you pass false to realpath you get the current directory and then of course that matches the drupal root, and so the http client checks for a 200 response on the drupal site url and unsurprisingly finds that to be 200 and the form validation fails.

Steps to reproduce

  1. set up a default drupal site structure with /web /vendor and /config etc..
  2. create a folder called vdb next to web
  3. put ../vdb in the form
  4. observe validation error

Proposed resolution

fix the logic

Remaining tasks

patch

User interface changes

none

API changes

none

Data model changes

none

🐛 Bug report
Status

Active

Version

1.0

Component

Code

Created by

🇨🇭Switzerland bircher 🇨🇿

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024