Update to Drupal 8.0.4. For more information, see https://www.drupal.org/drupal-8.0.4
This commit is contained in:
Pantheon Automation
Greg Anderson
parent
9db4fae9a7
commit
315484f62f
7 changed files with 205 additions and 10 deletions
|
|
@ -64,6 +64,7 @@ class ManagedFile extends FormElement {
|
|||
foreach ($fids as $key => $fid) {
|
||||
$fids[$key] = (int) $fid;
|
||||
}
|
||||
$force_default = FALSE;
|
||||
|
||||
// Process any input and save new uploads.
|
||||
if ($input !== FALSE) {
|
||||
|
|
@ -95,15 +96,26 @@ class ManagedFile extends FormElement {
|
|||
$fids = [];
|
||||
foreach ($input['fids'] as $fid) {
|
||||
if ($file = File::load($fid)) {
|
||||
$fids[] = $file->id();
|
||||
// Temporary files that belong to other users should never be
|
||||
// allowed. Since file ownership can't be determined for anonymous
|
||||
// users, they are not allowed to reuse temporary files at all.
|
||||
if ($file->isTemporary() && (\Drupal::currentUser()->isAnonymous() || $file->getOwnerId() != \Drupal::currentUser()->id())) {
|
||||
$force_default = TRUE;
|
||||
break;
|
||||
}
|
||||
// If all checks pass, allow the files to be changed.
|
||||
else {
|
||||
$fids[] = $file->id();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// If there is no input, set the default value.
|
||||
else {
|
||||
// If there is no input or if the default value was requested above, use the
|
||||
// default value.
|
||||
if ($input === FALSE || $force_default) {
|
||||
if ($element['#extended']) {
|
||||
$default_fids = isset($element['#default_value']['fids']) ? $element['#default_value']['fids'] : [];
|
||||
$return = isset($element['#default_value']) ? $element['#default_value'] : ['fids' => []];
|
||||
|
|
|
|||
|
|
@ -10,11 +10,14 @@ namespace Drupal\file\Tests;
|
|||
use Drupal\comment\Entity\Comment;
|
||||
use Drupal\comment\Tests\CommentTestTrait;
|
||||
use Drupal\Component\Utility\Unicode;
|
||||
use Drupal\Core\Url;
|
||||
use Drupal\field\Entity\FieldConfig;
|
||||
use Drupal\field\Entity\FieldStorageConfig;
|
||||
use Drupal\field_ui\Tests\FieldUiTestTrait;
|
||||
use Drupal\user\RoleInterface;
|
||||
use Drupal\file\Entity\File;
|
||||
use Drupal\user\Entity\User;
|
||||
use Drupal\user\UserInterface;
|
||||
|
||||
/**
|
||||
* Tests the file field widget, single and multi-valued, with and without AJAX,
|
||||
|
|
@ -42,6 +45,36 @@ class FileFieldWidgetTest extends FileFieldTestBase {
|
|||
*/
|
||||
public static $modules = array('comment', 'block');
|
||||
|
||||
/**
|
||||
* Creates a temporary file, for a specific user.
|
||||
*
|
||||
* @param string $data
|
||||
* A string containing the contents of the file.
|
||||
* @param \Drupal\user\UserInterface $user
|
||||
* The user of the file owner.
|
||||
*
|
||||
* @return \Drupal\file\FileInterface
|
||||
* A file object, or FALSE on error.
|
||||
*/
|
||||
protected function createTemporaryFile($data, UserInterface $user = NULL) {
|
||||
$file = file_save_data($data, NULL, NULL);
|
||||
|
||||
if ($file) {
|
||||
if ($user) {
|
||||
$file->setOwner($user);
|
||||
}
|
||||
else {
|
||||
$file->setOwner($this->adminUser);
|
||||
}
|
||||
// Change the file status to be temporary.
|
||||
$file->setTemporary();
|
||||
// Save the changes.
|
||||
$file->save();
|
||||
}
|
||||
|
||||
return $file;
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests upload and remove buttons for a single-valued File field.
|
||||
*/
|
||||
|
|
@ -449,4 +482,113 @@ class FileFieldWidgetTest extends FileFieldTestBase {
|
|||
$this->assertIdentical(count($elements), 1);
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests exploiting the temporary file removal of another user using fid.
|
||||
*/
|
||||
public function testTemporaryFileRemovalExploit() {
|
||||
// Create a victim user.
|
||||
$victim_user = $this->drupalCreateUser();
|
||||
|
||||
// Create an attacker user.
|
||||
$attacker_user = $this->drupalCreateUser(array(
|
||||
'access content',
|
||||
'create article content',
|
||||
'edit any article content',
|
||||
));
|
||||
|
||||
// Log in as the attacker user.
|
||||
$this->drupalLogin($attacker_user);
|
||||
|
||||
// Perform tests using the newly created users.
|
||||
$this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user);
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests exploiting the temporary file removal for anonymous users using fid.
|
||||
*/
|
||||
public function testTemporaryFileRemovalExploitAnonymous() {
|
||||
// Set up an anonymous victim user.
|
||||
$victim_user = User::getAnonymousUser();
|
||||
|
||||
// Set up an anonymous attacker user.
|
||||
$attacker_user = User::getAnonymousUser();
|
||||
|
||||
// Set up permissions for anonymous attacker user.
|
||||
user_role_change_permissions(RoleInterface::ANONYMOUS_ID, array(
|
||||
'access content' => TRUE,
|
||||
'create article content' => TRUE,
|
||||
'edit any article content' => TRUE,
|
||||
));
|
||||
|
||||
// Log out so as to be the anonymous attacker user.
|
||||
$this->drupalLogout();
|
||||
|
||||
// Perform tests using the newly set up anonymous users.
|
||||
$this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user);
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper for testing exploiting the temporary file removal using fid.
|
||||
*
|
||||
* @param \Drupal\user\UserInterface $victim_user
|
||||
* The victim user.
|
||||
* @param \Drupal\user\UserInterface $attacker_user
|
||||
* The attacker user.
|
||||
*/
|
||||
protected function doTestTemporaryFileRemovalExploit(UserInterface $victim_user, UserInterface $attacker_user) {
|
||||
$type_name = 'article';
|
||||
$field_name = 'test_file_field';
|
||||
$this->createFileField($field_name, 'node', $type_name);
|
||||
|
||||
$test_file = $this->getTestFile('text');
|
||||
foreach (array('nojs', 'js') as $type) {
|
||||
// Create a temporary file owned by the victim user. This will be as if
|
||||
// they had uploaded the file, but not saved the node they were editing
|
||||
// or creating.
|
||||
$victim_tmp_file = $this->createTemporaryFile('some text', $victim_user);
|
||||
$victim_tmp_file = File::load($victim_tmp_file->id());
|
||||
$this->assertTrue($victim_tmp_file->isTemporary(), 'New file saved to disk is temporary.');
|
||||
$this->assertFalse(empty($victim_tmp_file->id()), 'New file has an fid.');
|
||||
$this->assertEqual($victim_user->id(), $victim_tmp_file->getOwnerId(), 'New file belongs to the victim.');
|
||||
|
||||
// Have attacker create a new node with a different uploaded file and
|
||||
// ensure it got uploaded successfully.
|
||||
$edit = [
|
||||
'title[0][value]' => $type . '-title' ,
|
||||
];
|
||||
|
||||
// Attach a file to a node.
|
||||
$edit['files[' . $field_name . '_0]'] = $this->container->get('file_system')->realpath($test_file->getFileUri());
|
||||
$this->drupalPostForm(Url::fromRoute('node.add', array('node_type' => $type_name)), $edit, t('Save'));
|
||||
$node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
|
||||
|
||||
/** @var \Drupal\file\FileInterface $node_file */
|
||||
$node_file = File::load($node->{$field_name}->target_id);
|
||||
$this->assertFileExists($node_file, 'A file was saved to disk on node creation');
|
||||
$this->assertEqual($attacker_user->id(), $node_file->getOwnerId(), 'New file belongs to the attacker.');
|
||||
|
||||
// Ensure the file can be downloaded.
|
||||
$this->drupalGet(file_create_url($node_file->getFileUri()));
|
||||
$this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
|
||||
|
||||
// "Click" the remove button (emulating either a nojs or js submission).
|
||||
// In this POST request, the attacker "guesses" the fid of the victim's
|
||||
// temporary file and uses that to remove this file.
|
||||
$this->drupalGet($node->toUrl('edit-form'));
|
||||
switch ($type) {
|
||||
case 'nojs':
|
||||
$this->drupalPostForm(NULL, [$field_name . '[0][fids]' => (string) $victim_tmp_file->id()], 'Remove');
|
||||
break;
|
||||
|
||||
case 'js':
|
||||
$this->drupalPostAjaxForm(NULL, [$field_name . '[0][fids]' => (string) $victim_tmp_file->id()], ["{$field_name}_0_remove_button" => 'Remove']);
|
||||
break;
|
||||
}
|
||||
|
||||
// The victim's temporary file should not be removed by the attacker's
|
||||
// POST request.
|
||||
$this->assertFileExists($victim_tmp_file);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -231,7 +231,13 @@ class UserLoginForm extends FormBase {
|
|||
}
|
||||
}
|
||||
else {
|
||||
$form_state->setErrorByName('name', $this->t('Unrecognized username or password. <a href=":password">Have you forgotten your password?</a>', array(':password' => $this->url('user.pass', [], array('query' => array('name' => $form_state->getValue('name')))))));
|
||||
// Use $form_state->getUserInput() in the error message to guarantee
|
||||
// that we send exactly what the user typed in. The value from
|
||||
// $form_state->getValue() may have been modified by validation
|
||||
// handlers that ran earlier than this one.
|
||||
$user_input = $form_state->getUserInput();
|
||||
$query = isset($user_input['name']) ? array('name' => $user_input['name']) : array();
|
||||
$form_state->setErrorByName('name', $this->t('Unrecognized username or password. <a href=":password">Have you forgotten your password?</a>', array(':password' => $this->url('user.pass', [], array('query' => $query)))));
|
||||
$accounts = $this->userStorage->loadByProperties(array('name' => $form_state->getValue('name')));
|
||||
if (!empty($accounts)) {
|
||||
$this->logger('user')->notice('Login attempt failed for %user.', array('%user' => $form_state->getValue('name')));
|
||||
|
|
|
|||
Reference in a new issue