Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Steps to reproduce:
- Enable boost debug mode
- Create a URL alias with and UTF-8 character in it (I had ™)
- Open that page
- Boost tries to log the entire global
$_boost
variable to watchdog callingboost_print_r()
- As a result write to the watchdog will fail with a fatal error. As this code is being called after
drupal_deliver_html_page()
execution, Drupal sends an error page after the normal: in browser you see your normal page and then error page one after other
Comment | File | Size | Author |
---|---|---|---|
#7 | Recorder bug_lemberg.co_.uk_labs.png | 138.29 KB | Taran2L |
#3 | boost-fixed_utf8_support_in_boost_print_r-2113293-3.patch | 688 bytes | Taran2L |
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedJust a quick check, is anything ever written to the cache for this URL ? as the error may be caused by the filename and the filesystem not working with UTF-8 characters.
Comment #2
Taran2LWill provide a patch shortly.
Comment #3
Taran2LVersion #1
Comment #4
Taran2LVersion #2 (I like it more)
This function is being used only for watchdog entries. So, could be rewritten in the following way.
Comment #5
Taran2LBoost fails on debug. And the issue is related to debugging. I'm not sure if the file is being written to the filesystem. But, it's not the case.
If you would like, I can provide screenshot and backtrace log.
Comment #6
Anonymous (not verified) CreditAttribution: Anonymous commentedSorry didn't understand the first sentence of that last post, whether the cache file is written to the system is much more of an issue (and whether rewrite rules pick it up), than a watchdog error.
Comment #7
Taran2LDrupal crashes trying write debug message to a watchdog; result is:
See attached image.
Why ?
Because when debug is on, boost writes a watchdog entry after main page has been delivered:
boost.module, lines 1422-1428
And
boost_print_r()
has an error (see original code):htmlentities()
isn't binary safe (doesn't work with utf-8 characters). It fails, because my url contains trademarkAttached patch fixes this.
Comment #8
Anonymous (not verified) CreditAttribution: Anonymous commentedThe problem with the patch is that it could open up an XSS exploit by allowing < > tags through, have you considered
and using the PHP documentation.
which is probably the source of the error. I'm also much more concerned as to whether the URL translation results in a cacheable file.
Comment #9
Taran2LSo, I've done some testing. Discard patch #4. It's could be exploited.
However, patch #3 fixes the problem.
Patch uses
check_plain()
Drupal built-in filtering function, which uses PHPhtmlspecialchars()
.Basically speaking
htmspecialchars()
is a more strict version of thehtmlentities()
.Patch #3 doesn't allow any tags/special characters/etc
Comment #10
Taran2LHow to reproduce:
1. Enable & configure boost
2. Enable boost debug
3. Create a page with an alias page™
4. Go to this page as an anonymous user. Scroll to the bottom of the page to see an error
5. Apply patch in #3 and fix it
Comment #11
DamienMcKennaMaybe wrap the output in filter_xss()?
Comment #12
Taran2LPatch #3 has
check_plain()
, which is what we need in this case I believe. What tags you want to see in the output ofprint_r()