SA-CORE-2022-012 by cmlara, GuyPaddock, larowlan, mondrake, effulgentsia, xjm, longwave, Dave Reid, lauriii, David Strauss, benjifisher, alexpott, mcdruid, Fabianx
(cherry picked from commit 1f82337d17)
merge-requests/1315/head
xjm
parent
10c3646fc5
commit
85b3c3755e
|
|
@ -505,6 +505,29 @@ $settings['update_free_access'] = FALSE;
|
|||
*/
|
||||
# $settings['file_public_path'] = 'sites/default/files';
|
||||
|
||||
/**
|
||||
* Additional public file schemes:
|
||||
*
|
||||
* Public schemes are URI schemes that allow download access to all users for
|
||||
* all files within that scheme.
|
||||
*
|
||||
* The "public" scheme is always public, and the "private" scheme is always
|
||||
* private, but other schemes, such as "https", "s3", "example", or others,
|
||||
* can be either public or private depending on the site. By default, they're
|
||||
* private, and access to individual files is controlled via
|
||||
* hook_file_download().
|
||||
*
|
||||
* Typically, if a scheme should be public, a module makes it public by
|
||||
* implementing hook_file_download(), and granting access to all users for all
|
||||
* files. This could be either the same module that provides the stream wrapper
|
||||
* for the scheme, or a different module that decides to make the scheme
|
||||
* public. However, in cases where a site needs to make a scheme public, but
|
||||
* is unable to add code in a module to do so, the scheme may be added to this
|
||||
* variable, the result of which is that system_file_download() grants public
|
||||
* access to all files within that scheme.
|
||||
*/
|
||||
# $settings['file_additional_public_schemes'] = ['example'];
|
||||
|
||||
/**
|
||||
* Private file path:
|
||||
*
|
||||
|
|
|
|||
|
|
@ -115,4 +115,28 @@ class PublicStream extends LocalStream {
|
|||
return Settings::get('file_public_path', $site_path . '/files');
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
protected function getLocalPath($uri = NULL) {
|
||||
$path = parent::getLocalPath($uri);
|
||||
if (!$path || (strpos($path, 'vfs://') === 0)) {
|
||||
return $path;
|
||||
}
|
||||
|
||||
if (Settings::get('sa_core_2022_012_override') === TRUE) {
|
||||
return $path;
|
||||
}
|
||||
|
||||
$private_path = Settings::get('file_private_path');
|
||||
if ($private_path) {
|
||||
$private_path = realpath($private_path);
|
||||
if ($private_path && strpos($path, $private_path) === 0) {
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
return $path;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ use Drupal\Component\Utility\Crypt;
|
|||
use Drupal\Core\File\FileSystemInterface;
|
||||
use Drupal\Core\Image\ImageFactory;
|
||||
use Drupal\Core\Lock\LockBackendInterface;
|
||||
use Drupal\Core\Site\Settings;
|
||||
use Drupal\Core\StreamWrapper\StreamWrapperManager;
|
||||
use Drupal\Core\StreamWrapper\StreamWrapperManagerInterface;
|
||||
use Drupal\image\ImageStyleInterface;
|
||||
|
|
@ -114,21 +115,25 @@ class ImageStyleDownloadController extends FileDownloadController {
|
|||
$target = $request->query->get('file');
|
||||
$image_uri = $scheme . '://' . $target;
|
||||
|
||||
// Check that the style is defined, the scheme is valid, and the image
|
||||
// derivative token is valid. Sites which require image derivatives to be
|
||||
// generated without a token can set the
|
||||
// Check that the style is defined and the scheme is valid.
|
||||
$valid = !empty($image_style) && $this->streamWrapperManager->isValidScheme($scheme);
|
||||
|
||||
// Also validate the derivative token. Sites which require image
|
||||
// derivatives to be generated without a token can set the
|
||||
// 'image.settings:allow_insecure_derivatives' configuration to TRUE to
|
||||
// bypass the latter check, but this will increase the site's vulnerability
|
||||
// bypass this check, but this will increase the site's vulnerability
|
||||
// to denial-of-service attacks. To prevent this variable from leaving the
|
||||
// site vulnerable to the most serious attacks, a token is always required
|
||||
// when a derivative of a style is requested.
|
||||
// The $target variable for a derivative of a style has
|
||||
// styles/<style_name>/... as structure, so we check if the $target variable
|
||||
// starts with styles/.
|
||||
$valid = !empty($image_style) && $this->streamWrapperManager->isValidScheme($scheme);
|
||||
$token = $request->query->get(IMAGE_DERIVATIVE_TOKEN, '');
|
||||
$token_is_valid = hash_equals($image_style->getPathToken($image_uri), $token);
|
||||
if (!$this->config('image.settings')->get('allow_insecure_derivatives') || strpos(ltrim($target, '\/'), 'styles/') === 0) {
|
||||
$valid &= hash_equals($image_style->getPathToken($image_uri), $request->query->get(IMAGE_DERIVATIVE_TOKEN, ''));
|
||||
$valid = $valid && $token_is_valid;
|
||||
}
|
||||
|
||||
if (!$valid) {
|
||||
// Return a 404 (Page Not Found) rather than a 403 (Access Denied) as the
|
||||
// image token is for DDoS protection rather than access checking. 404s
|
||||
|
|
@ -138,11 +143,23 @@ class ImageStyleDownloadController extends FileDownloadController {
|
|||
}
|
||||
|
||||
$derivative_uri = $image_style->buildUri($image_uri);
|
||||
$derivative_scheme = $this->streamWrapperManager->getScheme($derivative_uri);
|
||||
|
||||
if ($token_is_valid) {
|
||||
$is_public = ($scheme !== 'private');
|
||||
}
|
||||
else {
|
||||
$core_schemes = ['public', 'private', 'temporary'];
|
||||
$additional_public_schemes = array_diff(Settings::get('file_additional_public_schemes', []), $core_schemes);
|
||||
$public_schemes = array_merge(['public'], $additional_public_schemes);
|
||||
$is_public = in_array($derivative_scheme, $public_schemes, TRUE);
|
||||
}
|
||||
|
||||
$headers = [];
|
||||
|
||||
// If using the private scheme, let other modules provide headers and
|
||||
// If not using a public scheme, let other modules provide headers and
|
||||
// control access to the file.
|
||||
if ($scheme == 'private') {
|
||||
if (!$is_public) {
|
||||
$headers = $this->moduleHandler()->invokeAll('file_download', [$image_uri]);
|
||||
if (in_array(-1, $headers) || empty($headers)) {
|
||||
throw new AccessDeniedHttpException();
|
||||
|
|
@ -150,14 +167,14 @@ class ImageStyleDownloadController extends FileDownloadController {
|
|||
}
|
||||
|
||||
// Don't try to generate file if source is missing.
|
||||
if (!file_exists($image_uri)) {
|
||||
if (!$this->sourceImageExists($image_uri, $token_is_valid)) {
|
||||
// If the image style converted the extension, it has been added to the
|
||||
// original file, resulting in filenames like image.png.jpeg. So to find
|
||||
// the actual source image, we remove the extension and check if that
|
||||
// image exists.
|
||||
$path_info = pathinfo(StreamWrapperManager::getTarget($image_uri));
|
||||
$converted_image_uri = sprintf('%s://%s%s%s', $this->streamWrapperManager->getScheme($derivative_uri), $path_info['dirname'], DIRECTORY_SEPARATOR, $path_info['filename']);
|
||||
if (!file_exists($converted_image_uri)) {
|
||||
if (!$this->sourceImageExists($converted_image_uri, $token_is_valid)) {
|
||||
$this->logger->notice('Source image at %source_image_path not found while trying to generate derivative image at %derivative_path.', ['%source_image_path' => $image_uri, '%derivative_path' => $derivative_uri]);
|
||||
return new Response($this->t('Error generating image, missing source file.'), 404);
|
||||
}
|
||||
|
|
@ -196,9 +213,9 @@ class ImageStyleDownloadController extends FileDownloadController {
|
|||
];
|
||||
// \Drupal\Core\EventSubscriber\FinishResponseSubscriber::onRespond()
|
||||
// sets response as not cacheable if the Cache-Control header is not
|
||||
// already modified. We pass in FALSE for non-private schemes for the
|
||||
// $public parameter to make sure we don't change the headers.
|
||||
return new BinaryFileResponse($uri, 200, $headers, $scheme !== 'private');
|
||||
// already modified. When $is_public is TRUE, the following sets the
|
||||
// Cache-Control header to "public".
|
||||
return new BinaryFileResponse($uri, 200, $headers, $is_public);
|
||||
}
|
||||
else {
|
||||
$this->logger->notice('Unable to generate the derived image located at %path.', ['%path' => $derivative_uri]);
|
||||
|
|
@ -206,4 +223,43 @@ class ImageStyleDownloadController extends FileDownloadController {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks whether the provided source image exists.
|
||||
*
|
||||
* @param string $image_uri
|
||||
* The URI for the source image.
|
||||
* @param bool $token_is_valid
|
||||
* Whether a valid image token was supplied.
|
||||
*
|
||||
* @return bool
|
||||
* Whether the source image exists.
|
||||
*/
|
||||
private function sourceImageExists(string $image_uri, bool $token_is_valid): bool {
|
||||
$exists = file_exists($image_uri);
|
||||
|
||||
// If the file doesn't exist, we can stop here.
|
||||
if (!$exists) {
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if ($token_is_valid) {
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
if (StreamWrapperManager::getScheme($image_uri) !== 'public') {
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
$image_path = $this->fileSystem->realpath($image_uri);
|
||||
$private_path = Settings::get('file_private_path');
|
||||
if ($private_path) {
|
||||
$private_path = realpath($private_path);
|
||||
if ($private_path && strpos($image_path, $private_path) === 0) {
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -27,6 +27,8 @@ use Drupal\Core\PageCache\RequestPolicyInterface;
|
|||
use Drupal\Core\Queue\QueueGarbageCollectionInterface;
|
||||
use Drupal\Core\Routing\RouteMatchInterface;
|
||||
use Drupal\Core\Routing\StackedRouteMatchInterface;
|
||||
use Drupal\Core\Site\Settings;
|
||||
use Drupal\Core\StreamWrapper\StreamWrapperManager;
|
||||
use Drupal\Core\Url;
|
||||
use GuzzleHttp\Exception\TransferException;
|
||||
use Symfony\Component\HttpFoundation\RedirectResponse;
|
||||
|
|
@ -1385,3 +1387,21 @@ function system_page_top() {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements hook_file_download().
|
||||
*/
|
||||
function system_file_download($uri) {
|
||||
$core_schemes = ['public', 'private', 'temporary'];
|
||||
$additional_public_schemes = array_diff(Settings::get('file_additional_public_schemes', []), $core_schemes);
|
||||
if ($additional_public_schemes) {
|
||||
$scheme = StreamWrapperManager::getScheme($uri);
|
||||
if (in_array($scheme, $additional_public_schemes, TRUE)) {
|
||||
return [
|
||||
// Returning any header grants access, and setting the 'Cache-Control'
|
||||
// header is appropriate for public files.
|
||||
'Cache-Control' => 'public',
|
||||
];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -505,6 +505,29 @@ $settings['update_free_access'] = FALSE;
|
|||
*/
|
||||
# $settings['file_public_path'] = 'sites/default/files';
|
||||
|
||||
/**
|
||||
* Additional public file schemes:
|
||||
*
|
||||
* Public schemes are URI schemes that allow download access to all users for
|
||||
* all files within that scheme.
|
||||
*
|
||||
* The "public" scheme is always public, and the "private" scheme is always
|
||||
* private, but other schemes, such as "https", "s3", "example", or others,
|
||||
* can be either public or private depending on the site. By default, they're
|
||||
* private, and access to individual files is controlled via
|
||||
* hook_file_download().
|
||||
*
|
||||
* Typically, if a scheme should be public, a module makes it public by
|
||||
* implementing hook_file_download(), and granting access to all users for all
|
||||
* files. This could be either the same module that provides the stream wrapper
|
||||
* for the scheme, or a different module that decides to make the scheme
|
||||
* public. However, in cases where a site needs to make a scheme public, but
|
||||
* is unable to add code in a module to do so, the scheme may be added to this
|
||||
* variable, the result of which is that system_file_download() grants public
|
||||
* access to all files within that scheme.
|
||||
*/
|
||||
# $settings['file_additional_public_schemes'] = ['example'];
|
||||
|
||||
/**
|
||||
* Private file path:
|
||||
*
|
||||
|
|
|
|||
Loading…
Reference in New Issue