Skip to content
Snippets Groups Projects
Commit ca17d0ac authored by catch's avatar catch
Browse files

Issue #3366481 by cilefen, acbramley, phenaproxima, seanB:... 

Issue #3366481 by cilefen, acbramley, phenaproxima, seanB: OEmbedIframeController returns an HTTP response code that can be cached by forward proxies when it is given illegal parameters
parent b1dd9f7e
No related branches found
No related tags found
46 merge requests!54479.5.x SF update,!5014Issue #3071143: Table Render Array Example Is Incorrect,!4868Issue #1428520: Improve menu parent link selection,!4594Applying patch for Views Global Text area field to allow extra HTML tags. As video, source and iframe tag is not rendering. Due to which Media embedded video and remote-video not rendering in Views Global Text area field.,!4289Issue #1344552 by marcingy, Niklas Fiekas, Ravi.J, aleevas, Eduardo Morales...,!3878Removed unused condition head title for views,!38582585169-10.1.x,!3825Issue #2972573: randomMachineName() should conform to processMachineName() pattern,!3818Issue #2140179: $entity->original gets stale between updates,!3742Issue #3328429: Create item list field formatter for displaying ordered and unordered lists,!3731Claro: role=button on status report items,!3668Resolve #3347842 "Deprecate the trusted",!3651Issue #3347736: Create new SDC component for Olivero (header-search),!3546refactored dialog.pcss file,!3531Issue #3336994: StringFormatter always displays links to entity even if the user in context does not have access,!3502Issue #3335308: Confusing behavior with FormState::setFormState and FormState::setMethod,!3452Issue #3332701: Refactor Claro's tablesort-indicator stylesheet,!3451Issue #2410579: Allows setting the current language programmatically.,!3355Issue #3209129: Scrolling problems when adding a block via layout builder,!3228Issue #2920678: Add config validation for the allowed characters of machine names,!3226Issue #2987537: Custom menu link entity type should not declare "bundle" entity key,!3154Fixes #2987987 - CSRF token validation broken on routes with optional parameters.,!3147Issue #3328457: Replace most substr($a, $i) where $i is negative with str_ends_with(),!3146Issue #3328456: Replace substr($a, 0, $i) with str_starts_with(),!3133core/modules/system/css/components/hidden.module.css,!31312878513-10.1.x,!2964Issue #2865710 : Dependencies from only one instance of a widget are used in display modes,!2812Issue #3312049: [Followup] Fix Drupal.Commenting.FunctionComment.MissingReturnType returns for NULL,!2614Issue #2981326: Replace non-test usages of \Drupal::logger() with IoC injection,!2378Issue #2875033: Optimize joins and table selection in SQL entity query implementation,!2334Issue #3228209: Add hasRole() method to AccountInterface,!2062Issue #3246454: Add weekly granularity to views date sort,!1591Issue #3199697: Add JSON:API Translation experimental module,!1255Issue #3238922: Refactor (if feasible) uses of the jQuery serialize function to use vanillaJS,!1105Issue #3025039: New non translatable field on translatable content throws error,!1073issue #3191727: Focus states on mobile second level navigation items fixed,!10223132456: Fix issue where views instances are emptied before an ajax request is complete,!877Issue #2708101: Default value for link text is not saved,!844Resolve #3036010 "Updaters",!673Issue #3214208: FinishResponseSubscriber could create duplicate headers,!617Issue #3043725: Provide a Entity Handler for user cancelation,!579Issue #2230909: Simple decimals fail to pass validation,!560Move callback classRemove outside of the loop,!555Issue #3202493,!485Sets the autocomplete attribute for username/password input field on login form.,!30Issue #3182188: Updates composer usage to point at ./vendor/bin/composer
Hide whitespace changes
Inline Side-by-side
core/modules/media/src/Controller/OEmbedIframeController.php
+ 4
4
View file @ ca17d0ac
......@@ -18,7 +18,7 @@
use Psr\Log\LoggerInterface;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
/**
* Controller which renders an oEmbed resource in a bare page (without blocks).
......@@ -115,7 +115,7 @@ public static function create(ContainerInterface $container) {
* @return \Symfony\Component\HttpFoundation\Response
* The response object.
*
* @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
* @throws \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
* Will be thrown if either
* - the 'hash' parameter does not match the expected hash of the 'url'
* parameter;
......@@ -129,7 +129,7 @@ public function render(Request $request) {
$allowed_host = parse_url($allowed_domain, PHP_URL_HOST);
$host = parse_url($request->getSchemeAndHttpHost(), PHP_URL_HOST);
if ($allowed_host !== $host) {
throw new AccessDeniedHttpException('This resource is not available');
throw new BadRequestHttpException('This resource is not available');
}
}
......@@ -141,7 +141,7 @@ public function render(Request $request) {
// parameter passed in the query string.
$hash = $this->iFrameUrlHelper->getHash($url, $max_width, $max_height);
if (!hash_equals($hash, $request->query->get('hash', ''))) {
throw new AccessDeniedHttpException('This resource is not available');
throw new BadRequestHttpException('This resource is not available');
}
// Return a response instead of a render array so that the frame content
......
core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php
+ 1
1
View file @ ca17d0ac
......@@ -195,7 +195,7 @@ public function testMediaOEmbedVideoSource() {
$no_hash_query = array_diff_key($query, ['hash' => '']);
$this->drupalGet('media/oembed', ['query' => $no_hash_query]);
$assert_session->pageTextNotContains('By the power of Grayskull, Vimeo works!');
$assert_session->pageTextContains('Access denied');
$assert_session->pageTextContains('Client error');
// A correct query should be allowed because the anonymous role has the
// 'view media' permission.
......
core/modules/media/tests/src/Kernel/OEmbedIframeControllerTest.php
+ 1
1
View file @ ca17d0ac
......@@ -56,7 +56,7 @@ public function testBadHashParameter($hash) {
$this->assertIsCallable($controller);
$this->expectException('\Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException');
$this->expectException('\Symfony\Component\HttpKernel\Exception\BadRequestHttpException');
$this->expectExceptionMessage('This resource is not available');
$request = new Request([
'url' => 'https://example.com/path/to/resource',
......
  • catch @catch

    mentioned in commit 5ff0d72f

     ·

    mentioned in commit 5ff0d72f

    Toggle commit list
  • catch @catch

    mentioned in commit 942722de

     ·

    mentioned in commit 942722de

    Toggle commit list
  • catch @catch

    mentioned in commit 9e2203d3

     ·

    mentioned in commit 9e2203d3

    Toggle commit list
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment