SA-CORE-2025-001 by larsdesigns, bdanin, nuwans, dgroene, arkepp, juanramonperez, svendecabooter, wgunn_e, mcdruid, catch

2025-02-18 22:40:55 +00:00 · 2025-02-18 22:40:55 +00:00 · 441c49c368
parent b33c928099
commit 441c49c368
3 changed files with 6 additions and 15 deletions
--- a/core/lib/Drupal/Core/DrupalKernel.php
+++ b/core/lib/Drupal/Core/DrupalKernel.php
@ -779,6 +779,7 @@ class DrupalKernel implements DrupalKernelInterface, TerminableInterface {
    if ($e instanceof HttpExceptionInterface) {
      $response = new Response($e->getMessage(), $e->getStatusCode());
      $response->headers->add($e->getHeaders());
+      $response->headers->set('Content-Type', 'text/plain');
      return $response;
    }

--- a/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionHtmlSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionHtmlSubscriber.php
@ -87,21 +87,14 @@ class DefaultExceptionHtmlSubscriber extends HttpExceptionSubscriberBase {
   *   The event to process.
   */
  public function on4xx(ExceptionEvent $event) {
-    if (($exception = $event->getThrowable()) && $exception instanceof HttpExceptionInterface) {
+    // Avoid making a subrequest for 400 errors because the same conditions that
+    // caused the 400 error could also happen in the subrequest. This allows 400
+    // exceptions to fall through to FinalExceptionSubscriber::on4xx.
+    if (($exception = $event->getThrowable()) && $exception instanceof HttpExceptionInterface && $exception->getStatusCode() > 400) {
      $this->makeSubrequest($event, '/system/4xx', $exception->getStatusCode());
    }
  }

-  /**
-   * Handles a 400 error for HTML.
-   *
-   * @param \Symfony\Component\HttpKernel\Event\ExceptionEvent $event
-   *   The event to process.
-   */
-  public function on400(ExceptionEvent $event): void {
-    throw $event->getThrowable();
-  }
-
  /**
   * Handles a 401 error for HTML.
   *
--- a/core/tests/Drupal/KernelTests/Core/EventSubscriber/ExceptionLoggingSubscriberTest.php
+++ b/core/tests/Drupal/KernelTests/Core/EventSubscriber/ExceptionLoggingSubscriberTest.php
@ -9,7 +9,6 @@ use Drupal\Core\Logger\RfcLogLevel;
 use Drupal\KernelTests\KernelTestBase;
 use Symfony\Component\ErrorHandler\BufferingLogger;
 use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpKernel\Exception\HttpException;

 /**
 * Tests that HTTP exceptions are logged correctly.
@ -64,9 +63,7 @@ class ExceptionLoggingSubscriberTest extends KernelTestBase {

  public static function exceptionDataProvider(): array {
    return [
-      // When a BadRequestException is thrown, DefaultHttpExceptionSubscriber
-      // will rethrow the exception.
-      [400, 'client error', RfcLogLevel::WARNING, HttpException::class],
+      [400, 'client error', RfcLogLevel::WARNING],
      [401, 'client error', RfcLogLevel::WARNING],
      [403, 'access denied', RfcLogLevel::WARNING],
      [404, 'page not found', RfcLogLevel::WARNING],