From 74d6632db94a5746ae49168a0a60714cad4f1bd8 Mon Sep 17 00:00:00 2001
From: xjm <xjm@65776.no-reply.drupal.org>
Date: Tue, 8 Sep 2015 19:38:16 -0500
Subject: [PATCH] Issue #2564321 by alexpott: file_save_htaccess() generates
 error logs which are escaped incorrectly

---
 core/includes/file.inc                        |  4 +-
 .../File/FileSaveHtaccessLoggingTest.php      | 43 +++++++++++++++++++
 2 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 core/modules/system/src/Tests/File/FileSaveHtaccessLoggingTest.php

diff --git a/core/includes/file.inc b/core/includes/file.inc
index 142bd206be1a..c5027c023653 100644
--- a/core/includes/file.inc
+++ b/core/includes/file.inc
@@ -371,8 +371,8 @@ function file_save_htaccess($directory, $private = TRUE, $force_overwrite = FALS
     return drupal_chmod($htaccess_path, 0444);
   }
   else {
-    $variables = array('%directory' => $directory, '!htaccess' => '<br />' . nl2br(Html::escape($htaccess_lines)));
-    \Drupal::logger('security')->error("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <code>!htaccess</code>", $variables);
+    $variables = array('%directory' => $directory, '@htaccess' => $htaccess_lines);
+    \Drupal::logger('security')->error("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <pre><code>@htaccess</code></pre>", $variables);
     return FALSE;
   }
 }
diff --git a/core/modules/system/src/Tests/File/FileSaveHtaccessLoggingTest.php b/core/modules/system/src/Tests/File/FileSaveHtaccessLoggingTest.php
new file mode 100644
index 000000000000..544e8b13e875
--- /dev/null
+++ b/core/modules/system/src/Tests/File/FileSaveHtaccessLoggingTest.php
@@ -0,0 +1,43 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\system\Tests\File\FileSaveHtaccessLoggingTest.
+ */
+
+namespace Drupal\system\Tests\File;
+
+use Drupal\Component\PhpStorage\FileStorage;
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests the log message added by file_save_htacess().
+ *
+ * @group File
+ */
+class FileSaveHtaccessLoggingTest extends WebTestBase {
+
+  protected static $modules = ['dblog'];
+
+  /**
+   * Tests file_save_htaccess().
+   */
+  function testHtaccessSave() {
+    // Prepare test directories.
+    $private = $this->publicFilesDirectory . '/test/private';
+
+    // Verify that file_save_htaccess() returns FALSE if .htaccess cannot be
+    // written and writes a correctly formatted message to the error log. Set
+    // $private to TRUE so all possible .htaccess lines are written.
+    $this->assertFalse(file_save_htaccess($private, TRUE));
+    $this->drupalLogin($this->rootUser);
+    $this->drupalGet('admin/reports/dblog');
+    $this->clickLink("Security warning: Couldn't write .htaccess file. Pleaseâ€¦");
+
+    $lines = FileStorage::htaccessLines(TRUE);
+    foreach (array_filter(explode("\n", $lines)) as $line) {
+      $this->assertEscaped($line);
+    }
+  }
+
+}
-- 
GitLab