- Status changed to Needs work
almost 2 years ago 4:27pm 26 January 2023 - πΊπΈUnited States xjm
Ideally we would add test coverage for this. Thanks!
I closed the outdated MR for clarity.
Drupal\Core\Ajax\AjaxResponseAttachmentsProcessor does not validate its POST parameters. Because of this, it's possible to easily generate a lot of warnings/errors. This code can be executed on all public routes by adding the right query/POST parameters, which allows anyone to flood the logs of a Drupal website.
Do an HTTP call to any path,. In this example, libraries is an array instead of a string, which is the expected type:
POST /?_wrapper_format=drupal_ajax&ajax_form=1
Content-Type: application/x-www-form-urlencoded
ajax_page_state[libraries][0]=test
In this example, the library definition is invalid which triggers an error in Drupal\Core\Asset\LibraryDependencyResolver:
POST /?_wrapper_format=drupal_ajax&ajax_form=1
Content-Type: application/x-www-form-urlencoded
ajax_page_state[libraries]=test
Add some basic validation to ensure libraries are in the right format and parameters are of the right type.
Needs work
10.1 β¨
Last updated
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Ideally we would add test coverage for this. Thanks!
I closed the outdated MR for clarity.