Issue #2564321 by alexpott: file_save_htaccess() generates error logs which are escaped incorrectly

2015-09-08 19:38:16 -05:00 · 2015-09-08 19:38:16 -05:00 · 74d6632db9
parent 5e8523ecb9
commit 74d6632db9
2 changed files with 45 additions and 2 deletions
--- a/core/includes/file.inc
+++ b/core/includes/file.inc
@ -371,8 +371,8 @@ function file_save_htaccess($directory, $private = TRUE, $force_overwrite = FALS
    return drupal_chmod($htaccess_path, 0444);
  }
  else {
-    $variables = array('%directory' => $directory, '!htaccess' => '<br />' . nl2br(Html::escape($htaccess_lines)));
-    \Drupal::logger('security')->error("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <code>!htaccess</code>", $variables);
+    $variables = array('%directory' => $directory, '@htaccess' => $htaccess_lines);
+    \Drupal::logger('security')->error("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <pre><code>@htaccess</code></pre>", $variables);
    return FALSE;
  }
 }
--- a/core/modules/system/src/Tests/File/FileSaveHtaccessLoggingTest.php
+++ b/core/modules/system/src/Tests/File/FileSaveHtaccessLoggingTest.php
@ -0,0 +1,43 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\system\Tests\File\FileSaveHtaccessLoggingTest.
+ */
+
+namespace Drupal\system\Tests\File;
+
+use Drupal\Component\PhpStorage\FileStorage;
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests the log message added by file_save_htacess().
+ *
+ * @group File
+ */
+class FileSaveHtaccessLoggingTest extends WebTestBase {
+
+  protected static $modules = ['dblog'];
+
+  /**
+   * Tests file_save_htaccess().
+   */
+  function testHtaccessSave() {
+    // Prepare test directories.
+    $private = $this->publicFilesDirectory . '/test/private';
+
+    // Verify that file_save_htaccess() returns FALSE if .htaccess cannot be
+    // written and writes a correctly formatted message to the error log. Set
+    // $private to TRUE so all possible .htaccess lines are written.
+    $this->assertFalse(file_save_htaccess($private, TRUE));
+    $this->drupalLogin($this->rootUser);
+    $this->drupalGet('admin/reports/dblog');
+    $this->clickLink("Security warning: Couldn't write .htaccess file. Please…");
+
+    $lines = FileStorage::htaccessLines(TRUE);
+    foreach (array_filter(explode("\n", $lines)) as $line) {
+      $this->assertEscaped($line);
+    }
+  }
+
+}