Skip to content
Snippets Groups Projects
Commit 942722de authored by catch's avatar catch
Browse files

Issue #3366481 by cilefen, acbramley, phenaproxima, seanB:... 

Issue #3366481 by cilefen, acbramley, phenaproxima, seanB: OEmbedIframeController returns an HTTP response code that can be cached by forward proxies when it is given illegal parameters

(cherry picked from commit ca17d0ac)
parent 480c9661
Branches
Tags
27 merge requests!11628Update file MediaLibraryWidget.php,!7564Revert "Issue #3364773 by roshnichordiya, Chris Matthews, thakurnishant_06,...,!5752Issue #3275828 by joachim, quietone, bradjones1, Berdir: document the reason...,!5627Issue #3261805: Field not saved when change of 0 on string start,!5427Issue #3338518: send credentials in ajax if configured in CORS settings.,!5395Issue #3387916 by fjgarlin, Spokje: Each GitLab job exposes user email,!5217Issue #3386607 by alexpott: Improve spell checking in commit-code-check.sh,!5064Issue #3379522 by finnsky, Gauravvvv, kostyashupenko, smustgrave, Chi: Revert...,!5040SDC ComponentElement: Transform slots scalar values to #plain_text instead of throwing an exception,!4958Issue #3392147: Whitelist IP for a Ban module.,!4942Issue #3365945: Errors: The following table(s) do not have a primary key: forum_index,!4894Issue #3280279: Add API to allow sites to opt in to upload SVG images in CKEditor 5,!4857Issue #3336994: StringFormatter always displays links to entity even if the user in context does not have access,!4856Issue #3336994: StringFormatter always displays links to entity even if the user in context does not have access,!4788Issue #3272985: RSS Feed header reverts to text/html when cached,!4716Issue #3362929: Improve 400 responses for broken/invalid image style routes,!4553Draft: Issue #2980951: Permission to see own unpublished comments in comment thread,!4273Add UUID to sections,!4192Issue #3367204: [CKEditor5] Missing dependency on drupal.ajax,!3679Issue #115801: Allow password on registration without disabling e-mail verification,!3106Issue #3017548: "Filtered HTML" text format does not support manual teaser break (<!--break-->),!3066Issue #3325175: Deprecate calling \Drupal\menu_link_content\Form\MenuLinkContentForm::_construct() with the $language_manager argument,!3004Issue #2463967: Use .user.ini file for PHP settings,!2851Issue #2264739: Allow multiple field widgets to not use tabledrag,!1484Exposed filters get values from URL when Ajax is on,!925Issue #2339235: Remove taxonomy hard dependency on node module,!872Draft: Issue #3221319: Race condition when creating menu links and editing content deletes menu links
Hide whitespace changes
Inline Side-by-side
core/modules/media/src/Controller/OEmbedIframeController.php
+ 4
4
View file @ 942722de
...@@ -18,7 +18,7 @@ ...@@ -18,7 +18,7 @@
use Psr\Log\LoggerInterface; use Psr\Log\LoggerInterface;
use Symfony\Component\DependencyInjection\ContainerInterface; use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
/** /**
* Controller which renders an oEmbed resource in a bare page (without blocks). * Controller which renders an oEmbed resource in a bare page (without blocks).
...@@ -115,7 +115,7 @@ public static function create(ContainerInterface $container) { ...@@ -115,7 +115,7 @@ public static function create(ContainerInterface $container) {
* @return \Symfony\Component\HttpFoundation\Response * @return \Symfony\Component\HttpFoundation\Response
* The response object. * The response object.
* *
* @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException * @throws \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
* Will be thrown if either * Will be thrown if either
* - the 'hash' parameter does not match the expected hash of the 'url' * - the 'hash' parameter does not match the expected hash of the 'url'
* parameter; * parameter;
...@@ -129,7 +129,7 @@ public function render(Request $request) { ...@@ -129,7 +129,7 @@ public function render(Request $request) {
$allowed_host = parse_url($allowed_domain, PHP_URL_HOST); $allowed_host = parse_url($allowed_domain, PHP_URL_HOST);
$host = parse_url($request->getSchemeAndHttpHost(), PHP_URL_HOST); $host = parse_url($request->getSchemeAndHttpHost(), PHP_URL_HOST);
if ($allowed_host !== $host) { if ($allowed_host !== $host) {
throw new AccessDeniedHttpException('This resource is not available'); throw new BadRequestHttpException('This resource is not available');
} }
} }
...@@ -141,7 +141,7 @@ public function render(Request $request) { ...@@ -141,7 +141,7 @@ public function render(Request $request) {
// parameter passed in the query string. // parameter passed in the query string.
$hash = $this->iFrameUrlHelper->getHash($url, $max_width, $max_height); $hash = $this->iFrameUrlHelper->getHash($url, $max_width, $max_height);
if (!hash_equals($hash, $request->query->get('hash', ''))) { if (!hash_equals($hash, $request->query->get('hash', ''))) {
throw new AccessDeniedHttpException('This resource is not available'); throw new BadRequestHttpException('This resource is not available');
} }
// Return a response instead of a render array so that the frame content // Return a response instead of a render array so that the frame content
......
core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php
+ 1
1
View file @ 942722de
...@@ -195,7 +195,7 @@ public function testMediaOEmbedVideoSource() { ...@@ -195,7 +195,7 @@ public function testMediaOEmbedVideoSource() {
$no_hash_query = array_diff_key($query, ['hash' => '']); $no_hash_query = array_diff_key($query, ['hash' => '']);
$this->drupalGet('media/oembed', ['query' => $no_hash_query]); $this->drupalGet('media/oembed', ['query' => $no_hash_query]);
$assert_session->pageTextNotContains('By the power of Grayskull, Vimeo works!'); $assert_session->pageTextNotContains('By the power of Grayskull, Vimeo works!');
$assert_session->pageTextContains('Access denied'); $assert_session->pageTextContains('Client error');
// A correct query should be allowed because the anonymous role has the // A correct query should be allowed because the anonymous role has the
// 'view media' permission. // 'view media' permission.
......
core/modules/media/tests/src/Kernel/OEmbedIframeControllerTest.php
+ 1
1
View file @ 942722de
...@@ -56,7 +56,7 @@ public function testBadHashParameter($hash) { ...@@ -56,7 +56,7 @@ public function testBadHashParameter($hash) {
$this->assertIsCallable($controller); $this->assertIsCallable($controller);
$this->expectException('\Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException'); $this->expectException('\Symfony\Component\HttpKernel\Exception\BadRequestHttpException');
$this->expectExceptionMessage('This resource is not available'); $this->expectExceptionMessage('This resource is not available');
$request = new Request([ $request = new Request([
'url' => 'https://example.com/path/to/resource', 'url' => 'https://example.com/path/to/resource',
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment