Contrib.social

[pp-1] system_requirements() strips core compatibility in really fragile and dangerous way when comparing versions

Open on Drupal.org β†’
Created on 11 November 2019, over 5 years ago
Updated 20 June 2025, 4 days ago

Problem/Motivation

system_requirements() includes this:

        $version = str_replace(\Drupal::CORE_COMPATIBILITY . '-', '', $required_file->info['version']);
...
            'description' => t('@name requires this module and version. Currently using @required_name version @version', ['@name' => $name, '@required_name' => $required_name, '@version' => $version]),
\Drupal::CORE_COMPATIBILITY is "8.x".

So we str_replace() "8.x-" with an empty string.

However, we're not careful about doing so only at the beginning of the version string.

So, if you somehow are dealing with a version string that contains '8.x-' somewhere you don't expect, all hell breaks loose.

Reasons you might have a version string that will be wrongfully clobbered include:

  1. A contrib module is upto 8.x-8.x branch and you're using the -dev release.
  2. You applied #3093130: Between alpha1 and X.Y.0 official \Drupal::VERSION should not be "8.8.0-dev" since it doesn't work for Semver::satisfies() β†’ and core's version is 8.8.x-dev
  3. You're using git_deploy and a Git checkout of core, in which case core thinks its version is 8.8.x-dev (I think).
  4. ...

Proposed resolution

If we have to strip this off, make sure we only do it at the beginning of the version string.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

πŸ› Bug report
Status

Postponed

Version

11.0 πŸ”₯

Component

extension system

Created by

πŸ‡ΊπŸ‡ΈUnited States dww

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024