Opened 19 months ago
Last modified 4 months ago
#22947 needs_revision defect
Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org
Reported by: | cypherpunks | Owned by: | hiro |
---|---|---|---|
Priority: | Medium | Milestone: | |
Component: | Webpages/Blog | Version: | |
Severity: | Normal | Keywords: | security |
Cc: | Actual Points: | ||
Parent ID: | Points: | ||
Reviewer: | Sponsor: |
Description
When loading https://blog.torproject.org/blog/tor-0312-alpha-out-notes-about-0311-alpha, a Drupal warning appeared at the top of the page that looked something like:
Warning: Drupal mkdir() failed directory already exists, etc. etc.
Encountered around 06:00-06:10 UTC. I apologize for the vague wording, but I was an idiot and forgot to take a screenshot. The error appeared after the tab was reloaded from a previous Firefox session, and disappeared after I refreshed the page. The warning message contained directory/path names that appeared at least slightly sensitive. I don't think that displaying server-side error messages to a client is intended behavior, either...
Apologies if this is the wrong channel for reporting this. I looked for an email address for security issues, but the Contact page says to "email the respective maintainer" (???). I'm not familiar with who maintains the blog, and it doesn't seem very high-risk or reproducible, so I'll leave a comment on the blog directing someone here.
Child Tickets
Change History (11)
comment:1 Changed 19 months ago by
comment:2 Changed 19 months ago by
Status: | new → accepted |
---|
comment:3 Changed 19 months ago by
I have been hunting down this but for a while, since it has been reported a few times. It is difficult to understand what's happening since it doesn't show up in the logs. I have a ticket open with pantheon to check if they could see something in the logs I wasn't able to spot. For the moment nothing is showing :(. Will see if I can get more info. My guess is that when I update the blog this error comes along and some of the modules is responsible for it (or maybe is some session issue).
comment:4 follow-up: 6 Changed 19 months ago by
Different person from the OP but I got this error message show up after posting a comment:
Warning: mkdir(): File exists in Drupal\Component\PhpStorage\FileStorage->createDirectory() (line 157 of core/lib/Drupal/Component/PhpStorage/FileStorage.php).
comment:5 Changed 19 months ago by
After searching found this to be the same error message I got: #22850
I bet this ticket is a duplicate and the OP got the same message as us.
comment:6 Changed 19 months ago by
Replying to cypherpunks:
Different person from the OP but I got this error message show up after posting a comment:
Warning: mkdir(): File exists in Drupal\Component\PhpStorage\FileStorage->createDirectory() (line 157 of core/lib/Drupal/Component/PhpStorage/FileStorage.php).
Yeah, that's the message I saw when I reported this (or very, very similar). The line numbers or filenames might be different, since I didn't post a comment before getting that error. Thanks for helping track this down!
comment:7 Changed 19 months ago by
Got the exact same error again when clicking on new comment, relevant link https://blog.torproject.org/comment/reply/node/1384/comment_node_article/270328
comment:8 Changed 18 months ago by
This is probably a cache issue as per https://www.drupal.org/node/2685957
We are running the latest version as provided from pantheon. Will see if next update fixes it.
comment:9 Changed 18 months ago by
Status: | accepted → needs_revision |
---|
comment:10 Changed 6 months ago by
I propose to disable on-screen warnings completely. Users cant act on errors, only admins reviewing a log can. Waiting for the next occurrence is the wrong approach in my eyes :)
module error level permission
comment:11 Changed 4 months ago by
This error regularly pops up going through search results:
Notice: Undefined index: status in Drupal\Core\Entity\Sql\SqlContentEntityStorage->loadFromSharedTables() (line 555 of core/lib/Drupal/Core/Entity/Sql/SqlContentEntityStorage.php).
After trying a bit to reproduce this, I failed to do so. This may nave been a transient bug due to restoring a tab from a previous session (maybe Firefox did something weird with a header in the request and the server-side scripting didn't like it?) or maybe someone was poking the Drupal backend at the same time I was loading the page?
Either way, someone may want to look at the Drupal config and at least make sure server-side issues don't get spit out into the HTML served to the client.