Opened 2 years ago

Last modified 8 months ago

#22947 needs_revision defect

Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

Reported by: cypherpunks Owned by: hiro
Priority: Medium Milestone:
Component: Webpages/Blog Version:
Severity: Normal Keywords: security
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When loading https://blog.torproject.org/blog/tor-0312-alpha-out-notes-about-0311-alpha, a Drupal warning appeared at the top of the page that looked something like:

Warning: Drupal mkdir() failed directory already exists, etc. etc.

Encountered around 06:00-06:10 UTC. I apologize for the vague wording, but I was an idiot and forgot to take a screenshot. The error appeared after the tab was reloaded from a previous Firefox session, and disappeared after I refreshed the page. The warning message contained directory/path names that appeared at least slightly sensitive. I don't think that displaying server-side error messages to a client is intended behavior, either...

Apologies if this is the wrong channel for reporting this. I looked for an email address for security issues, but the Contact page says to "email the respective maintainer" (???). I'm not familiar with who maintains the blog, and it doesn't seem very high-risk or reproducible, so I'll leave a comment on the blog directing someone here.

Child Tickets

Change History (11)

comment:1 Changed 2 years ago by cypherpunks

After trying a bit to reproduce this, I failed to do so. This may nave been a transient bug due to restoring a tab from a previous session (maybe Firefox did something weird with a header in the request and the server-side scripting didn't like it?) or maybe someone was poking the Drupal backend at the same time I was loading the page?

Either way, someone may want to look at the Drupal config and at least make sure server-side issues don't get spit out into the HTML served to the client.

comment:2 Changed 2 years ago by hiro

Status: newaccepted

comment:3 Changed 2 years ago by hiro

I have been hunting down this but for a while, since it has been reported a few times. It is difficult to understand what's happening since it doesn't show up in the logs. I have a ticket open with pantheon to check if they could see something in the logs I wasn't able to spot. For the moment nothing is showing :(. Will see if I can get more info. My guess is that when I update the blog this error comes along and some of the modules is responsible for it (or maybe is some session issue).

comment:4 Changed 23 months ago by cypherpunks

Different person from the OP but I got this error message show up after posting a comment:

Warning: mkdir(): File exists in Drupal\Component\PhpStorage\FileStorage->createDirectory() (line 157 of core/lib/Drupal/Component/PhpStorage/FileStorage.php).

comment:5 Changed 23 months ago by cypherpunks

After searching found this to be the same error message I got: #22850

I bet this ticket is a duplicate and the OP got the same message as us.

comment:6 in reply to:  4 Changed 23 months ago by cypherpunks

Replying to cypherpunks:

Different person from the OP but I got this error message show up after posting a comment:

Warning: mkdir(): File exists in Drupal\Component\PhpStorage\FileStorage->createDirectory() (line 157 of core/lib/Drupal/Component/PhpStorage/FileStorage.php).

Yeah, that's the message I saw when I reported this (or very, very similar). The line numbers or filenames might be different, since I didn't post a comment before getting that error. Thanks for helping track this down!

comment:7 Changed 23 months ago by cypherpunks

Got the exact same error again when clicking on new comment, relevant link https://blog.torproject.org/comment/reply/node/1384/comment_node_article/270328

comment:8 Changed 22 months ago by hiro

This is probably a cache issue as per https://www.drupal.org/node/2685957 

We are running the latest version as provided from pantheon. Will see if next update fixes it.

comment:9 Changed 22 months ago by hiro

Status: acceptedneeds_revision

comment:10 Changed 10 months ago by traumschule

I propose to disable on-screen warnings completely. Users cant act on errors, only admins reviewing a log can. Waiting for the next occurrence is the wrong approach in my eyes :)
module error level permission

comment:11 Changed 8 months ago by traumschule

This error regularly pops up going through search results:

Notice: Undefined index: status in Drupal\Core\Entity\Sql\SqlContentEntityStorage->loadFromSharedTables() (line 555 of core/lib/Drupal/Core/Entity/Sql/SqlContentEntityStorage.php).

https://github.com/drupal/core-version/blob/8.4.x/core/lib/Drupal/Core/Entity/Sql/SqlContentEntityStorage.php#L523

Last edited 8 months ago by traumschule (previous) (diff)
Note: See TracTickets for help on using tickets.