Joomla! Issue Tracker | Joomla! CMS #34340 - [4] When using path::clean, a security method, correctly throw a useable exception.

Fixed in Code Base
21 Aug 2021
Medium
Build: 4.0-dev
# 34340
Diff
PhilETaylor:pathcheckexception

Pending

User tests: Successful: Unsuccessful:

PhilETaylor
1 Jun 2021

Pull Request for Issue #34263

Summary of Changes

When using Path::clean() method, with an invalid path (Like ../../../../../../) it is designed to throw an exception.

The problem is that someone used code = 20 in the exception.

If your code calls the code below, and doesnt catch the exception then your website will not show an error message, it will show a 502 Bad Gateway (on nginx)

Path::clean('../../../../../../');

When you have a php-fpm set up, where the web server passes the request "upstream" to the "gateway" (i.e php-fpm running somewhere, or somehow else) then PHP-FPM will return error code 20 when this exception is thrown causing an error like:

webserver_1  | 2021/06/01 15:10:43 [error] 31#31: *109 upstream sent invalid status "20" while reading response header from upstream, client: 172.19.0.1, server: , request: "GET /administrator/index.php HTTP/1.1", upstream: "fastcgi://172.19.0.6:9000", host: "127.0.0.1:4444"

Testing Instructions

If your code calls the code below, and doesnt catch the exception then your website will not show an error message, it will show a 502 Bad Gateway (on nginx)

Path::clean('../../../../../../');

Actual result BEFORE applying this Pull Request

502 Bad Gateway

Expected result AFTER applying this Pull Request

Correctly displayed Exception that can be handled

Documentation Changes Required

// @Fedik @dgrammatiko

cf1b764 1 Jun 2021

Correctly throw exception with no code

PhilETaylor - open - 1 Jun 2021

PhilETaylor - change - 1 Jun 2021

Status

New

⇒

Pending

joomla-cms-bot - change - 1 Jun 2021

Category

⇒

Libraries

PhilETaylor - change - 1 Jun 2021

The description was changed

PhilETaylor - edited - 1 Jun 2021

Fedik - comment - 1 Jun 2021

I would change to 418, but removing is okay

PhilETaylor - comment - 1 Jun 2021

418 I'm a teapot is a HTTP Error code, not a PHP Exception code ;-)

Fedik - comment - 1 Jun 2021

yes, that in result will be HTTP response status code ;)

PhilETaylor - comment - 1 Jun 2021

On reflection of your joke with HTTP Codes, Im not sure this PR is the right approach... Im thinking now maybe something in the Symfony error handler is converting a User-Defined PHP Exception code to a HTTP Response code...

Let me dig into Symfony Error Handler more...

Fedik - test_item - 1 Jun 2021 - Tested successfully

Fedik - comment - 1 Jun 2021

I have tested this item ✅ successfully on cf1b764

on review

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34340.}

Fedik - comment - 1 Jun 2021

maybe something in the Symfony error handler is converting a User-Defined PHP Exception code to a HTTP Response code.

Anything can be,
but I never seen such, most of scripts just use an exception code directly for HTTP response

PhilETaylor - comment - 1 Jun 2021

Confirmed... in the same nginx/php-fpm set up running, using code:

<?php
error_reporting(E_ALL);
ini_set('display_errors',1);

throw new Exception('asd',20);

I correctly get the following, and not a Bad Gateway...

Fatal error: Uncaught Exception: asd in /application/ex.php:5 Stack trace: #0 {main} thrown in /application/ex.php on line 5

So something in Joomla deep in the unhandled error handler is causing a HTTP Response of code 20...

This needs researching and fixing.... (Cause we cannot trust 3PD to catch Exceptions because even Joomla doesnt ;-()

PhilETaylor - comment - 1 Jun 2021

I must have had my coffee....

I was right

On reflection of your joke with HTTP Codes, Im not sure this PR is the right approach... Im thinking now maybe something in the Symfony error handler is converting a User-Defined PHP Exception code to a HTTP Response code...

https://github.com/symfony/symfony/blob/0d3befa984bab8a1ef9304dfced1d9d9b8fc8d2e/src/Symfony/Component/ErrorHandler/Exception/FlattenException.php#L78

Fedik - comment - 1 Jun 2021

if you curious, here is where header sets, for an exception

joomla-cms/libraries/src/Document/ErrorDocument.php

Lines 117 to 132 in 3a5984d

    
           // Set the status header 
        
           $status = $this->_error->getCode(); 
        
           if ($status < 400 || $status > 599) 
        
           { 
        
           	$status = 500; 
        
           } 
        
           $errorReporting = CmsFactory::getApplication()->get('error_reporting'); 
        
           if ($errorReporting === "development" || $errorReporting === "maximum") 
        
           { 
        
           	$status .= ' ' . str_replace("\n", ' ', $this->_error->getMessage()); 
        
           } 
        
           CmsFactory::getApplication()->setHeader('status', $status);

it should be 500 if exception code is less than 400, that strange

PhilETaylor - comment - 1 Jun 2021

I dont think it goes anywhere near that, especially as the status of 20 is less than 400 and so that code would reset it to 500... Its the Symfony error handler (The red screen of death)... I need more coffee before going that low into the code again, last time I barely made it out alive...

dgrammatiko - comment - 1 Jun 2021

One more:

joomla-cms/libraries/src/Filesystem/Path.php

Line 216 in cf1b764

PhilETaylor - comment - 1 Jun 2021

yeah that one probably needs to go too, but let me look under the red screen of death and see if we (Joomla) can handle it correctly first.

richard67 - comment - 1 Jun 2021

Does this PR solve issue #34263 so it can be closed?

PhilETaylor - comment - 1 Jun 2021

Please leave open for now, Im using it as a reminder to check that all Mail Sending in Joomla is catching newly added Exceptions that can be raised in MailTemplates.php and below :(

acc8862 1 Jun 2021

another

PhilETaylor - change - 1 Jun 2021

Labels

Added: ?

wilsonge - comment - 1 Jun 2021

I suspect 20 comes from the old JError days fwiw and the status codes never got changed.

PhilETaylor - comment - 21 Aug 2021

This can be merged now...

wilsonge - change - 21 Aug 2021

Status	Pending	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2021-08-21 21:45:00
Closed_By		⇒	wilsonge
Labels	Added: ? Removed: ?

wilsonge - close - 21 Aug 2021

wilsonge - merge - 21 Aug 2021

wilsonge - comment - 21 Aug 2021

Thanks!

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#34340] - [4] When using path::clean, a security method, correctly throw a useable exception.

Summary of Changes

Testing Instructions

Actual result BEFORE applying this Pull Request

Expected result AFTER applying this Pull Request

Documentation Changes Required

Add a Comment

	// Set the status header
	$status = $this->_error->getCode();

	if ($status < 400 \|\| $status > 599)
	{
	$status = 500;
	}

	$errorReporting = CmsFactory::getApplication()->get('error_reporting');

	if ($errorReporting === "development" \|\| $errorReporting === "maximum")
	{
	$status .= ' ' . str_replace("\n", ' ', $this->_error->getMessage());
	}

	CmsFactory::getApplication()->setHeader('status', $status);