From 942722de12be686f71096ee5ae4c607000e2e6ac Mon Sep 17 00:00:00 2001
From: catch <catch@35733.no-reply.drupal.org>
Date: Wed, 14 Jun 2023 16:20:31 +0100
Subject: [PATCH] Issue #3366481 by cilefen, acbramley, phenaproxima, seanB:
 OEmbedIframeController returns an HTTP response code that can be cached by
 forward proxies when it is given illegal parameters

(cherry picked from commit ca17d0acb36a0b8ed4176794949bda32719a72d3)
---
 .../media/src/Controller/OEmbedIframeController.php       | 8 ++++----
 .../FunctionalJavascript/MediaSourceOEmbedVideoTest.php   | 2 +-
 .../media/tests/src/Kernel/OEmbedIframeControllerTest.php | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/core/modules/media/src/Controller/OEmbedIframeController.php b/core/modules/media/src/Controller/OEmbedIframeController.php
index 9da8f9050230..3c5079f6204a 100644
--- a/core/modules/media/src/Controller/OEmbedIframeController.php
+++ b/core/modules/media/src/Controller/OEmbedIframeController.php
@@ -18,7 +18,7 @@
 use Psr\Log\LoggerInterface;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 /**
  * Controller which renders an oEmbed resource in a bare page (without blocks).
@@ -115,7 +115,7 @@ public static function create(ContainerInterface $container) {
    * @return \Symfony\Component\HttpFoundation\Response
    *   The response object.
    *
-   * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+   * @throws \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
    *   Will be thrown if either
    *   - the 'hash' parameter does not match the expected hash of the 'url'
    *     parameter;
@@ -129,7 +129,7 @@ public function render(Request $request) {
       $allowed_host = parse_url($allowed_domain, PHP_URL_HOST);
       $host = parse_url($request->getSchemeAndHttpHost(), PHP_URL_HOST);
       if ($allowed_host !== $host) {
-        throw new AccessDeniedHttpException('This resource is not available');
+        throw new BadRequestHttpException('This resource is not available');
       }
     }
 
@@ -141,7 +141,7 @@ public function render(Request $request) {
     // parameter passed in the query string.
     $hash = $this->iFrameUrlHelper->getHash($url, $max_width, $max_height);
     if (!hash_equals($hash, $request->query->get('hash', ''))) {
-      throw new AccessDeniedHttpException('This resource is not available');
+      throw new BadRequestHttpException('This resource is not available');
     }
 
     // Return a response instead of a render array so that the frame content
diff --git a/core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php b/core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php
index cab7e3073432..62b7500be833 100644
--- a/core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php
+++ b/core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php
@@ -195,7 +195,7 @@ public function testMediaOEmbedVideoSource() {
     $no_hash_query = array_diff_key($query, ['hash' => '']);
     $this->drupalGet('media/oembed', ['query' => $no_hash_query]);
     $assert_session->pageTextNotContains('By the power of Grayskull, Vimeo works!');
-    $assert_session->pageTextContains('Access denied');
+    $assert_session->pageTextContains('Client error');
 
     // A correct query should be allowed because the anonymous role has the
     // 'view media' permission.
diff --git a/core/modules/media/tests/src/Kernel/OEmbedIframeControllerTest.php b/core/modules/media/tests/src/Kernel/OEmbedIframeControllerTest.php
index 9eae8d20cc9f..479c2313d402 100644
--- a/core/modules/media/tests/src/Kernel/OEmbedIframeControllerTest.php
+++ b/core/modules/media/tests/src/Kernel/OEmbedIframeControllerTest.php
@@ -56,7 +56,7 @@ public function testBadHashParameter($hash) {
 
     $this->assertIsCallable($controller);
 
-    $this->expectException('\Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException');
+    $this->expectException('\Symfony\Component\HttpKernel\Exception\BadRequestHttpException');
     $this->expectExceptionMessage('This resource is not available');
     $request = new Request([
       'url' => 'https://example.com/path/to/resource',
-- 
GitLab