Commit 942722de authored by catch's avatar catch
Browse files

Issue #3366481 by cilefen, acbramley, phenaproxima, seanB:... 

Issue #3366481 by cilefen, acbramley, phenaproxima, seanB: OEmbedIframeController returns an HTTP response code that can be cached by forward proxies when it is given illegal parameters

(cherry picked from commit ca17d0ac)
parent 480c9661

core/modules/media/src/Controller/OEmbedIframeController.php

+4 −4
Original line number Diff line number Diff line
@@ -18,7 +18,7 @@ 
use Psr\Log\LoggerInterface;

use Symfony\Component\DependencyInjection\ContainerInterface;

use Symfony\Component\HttpFoundation\Request;

use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;



/**

 * Controller which renders an oEmbed resource in a bare page (without blocks).
@@ -115,7 +115,7 @@ public static function create(ContainerInterface $container) { 
   * @return \Symfony\Component\HttpFoundation\Response

   *   The response object.

   *

   * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException

   * @throws \Symfony\Component\HttpKernel\Exception\BadRequestHttpException

   *   Will be thrown if either

   *   - the 'hash' parameter does not match the expected hash of the 'url'

   *     parameter;
@@ -129,7 +129,7 @@ public function render(Request $request) { 
      $allowed_host = parse_url($allowed_domain, PHP_URL_HOST);

      $host = parse_url($request->getSchemeAndHttpHost(), PHP_URL_HOST);

      if ($allowed_host !== $host) {

        throw new AccessDeniedHttpException('This resource is not available');

        throw new BadRequestHttpException('This resource is not available');

      }

    }
@@ -141,7 +141,7 @@ public function render(Request $request) { 
    // parameter passed in the query string.

    $hash = $this->iFrameUrlHelper->getHash($url, $max_width, $max_height);

    if (!hash_equals($hash, $request->query->get('hash', ''))) {

      throw new AccessDeniedHttpException('This resource is not available');

      throw new BadRequestHttpException('This resource is not available');

    }



    // Return a response instead of a render array so that the frame content

core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php

+1 −1
Original line number Diff line number Diff line
@@ -195,7 +195,7 @@ public function testMediaOEmbedVideoSource() { 
    $no_hash_query = array_diff_key($query, ['hash' => '']);

    $this->drupalGet('media/oembed', ['query' => $no_hash_query]);

    $assert_session->pageTextNotContains('By the power of Grayskull, Vimeo works!');

    $assert_session->pageTextContains('Access denied');

    $assert_session->pageTextContains('Client error');



    // A correct query should be allowed because the anonymous role has the

    // 'view media' permission.

core/modules/media/tests/src/Kernel/OEmbedIframeControllerTest.php

+1 −1
Original line number Diff line number Diff line
@@ -56,7 +56,7 @@ public function testBadHashParameter($hash) { 


    $this->assertIsCallable($controller);



    $this->expectException('\Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException');

    $this->expectException('\Symfony\Component\HttpKernel\Exception\BadRequestHttpException');

    $this->expectExceptionMessage('This resource is not available');

    $request = new Request([

      'url' => 'https://example.com/path/to/resource',