Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

[cypherpunks]

When loading ​https://blog.torproject.org/blog/tor-0312-alpha-out-notes-about-0311-alpha, a Drupal warning appeared at the top of the page that looked something like:

Warning: Drupal mkdir() failed directory already exists, etc. etc.

Encountered around 06:00-06:10 UTC. I apologize for the vague wording, but I was an idiot and forgot to take a screenshot. The error appeared after the tab was reloaded from a previous Firefox session, and disappeared after I refreshed the page. The warning message contained directory/path names that appeared at least slightly sensitive. I don't think that displaying server-side error messages to a client is intended behavior, either...

Apologies if this is the wrong channel for reporting this. I looked for an email address for security issues, but the Contact page says to "email the respective maintainer" (???). I'm not familiar with who maintains the blog, and it doesn't seem very high-risk or reproducible, so I'll leave a comment on the blog directing someone here.

[cypherpunks]

After trying a bit to reproduce this, I failed to do so. This may nave been a transient bug due to restoring a tab from a previous session (maybe Firefox did something weird with a header in the request and the server-side scripting didn't like it?) or maybe someone was poking the Drupal backend at the same time I was loading the page?

Either way, someone may want to look at the Drupal config and at least make sure server-side issues don't get spit out into the HTML served to the client.

[hiro]

I have been hunting down this but for a while, since it has been reported a few times. It is difficult to understand what's happening since it doesn't show up in the logs. I have a ticket open with pantheon to check if they could see something in the logs I wasn't able to spot. For the moment nothing is showing :(. Will see if I can get more info. My guess is that when I update the blog this error comes along and some of the modules is responsible for it (or maybe is some session issue).

[cypherpunks]

Different person from the OP but I got this error message show up after posting a comment:

Warning: mkdir(): File exists in Drupal\Component\PhpStorage\FileStorage->createDirectory() (line 157 of core/lib/Drupal/Component/PhpStorage/FileStorage.php).

[cypherpunks]

After searching found this to be the same error message I got: #22850

I bet this ticket is a duplicate and the OP got the same message as us.

[cypherpunks]

Replying to cypherpunks:

Different person from the OP but I got this error message show up after posting a comment:

Warning: mkdir(): File exists in Drupal\Component\PhpStorage\FileStorage->createDirectory() (line 157 of core/lib/Drupal/Component/PhpStorage/FileStorage.php).

Yeah, that's the message I saw when I reported this (or very, very similar). The line numbers or filenames might be different, since I didn't post a comment before getting that error. Thanks for helping track this down!

[cypherpunks]

Got the exact same error again when clicking on new comment, relevant link ​https://blog.torproject.org/comment/reply/node/1384/comment_node_article/270328

[hiro]

This is probably a cache issue as per ​https://www.drupal.org/node/2685957 

We are running the latest version as provided from pantheon. Will see if next update fixes it.

[traumschule]

I propose to ​disable on-screen warnings completely. Users cant act on errors, only admins reviewing a log can. Waiting for the next occurrence is the wrong approach in my eyes :)
​module error level permission

[traumschule]

This error regularly pops up going through search results:

Notice: Undefined index: status in Drupal\Core\Entity\Sql\SqlContentEntityStorage->loadFromSharedTables() (line 555 of core/lib/Drupal/Core/Entity/Sql/SqlContentEntityStorage.php).

​https://github.com/drupal/core-version/blob/8.4.x/core/lib/Drupal/Core/Entity/Sql/SqlContentEntityStorage.php#L523