Contrib.social

Nested f parameter ?f[0][1]

Open on Drupal.org →
Created on 8 March 2021, over 3 years ago
Updated 10 July 2024, 3 months ago

Problem/Motivation

If the f GET parameter is nested more then one level, notices are thrown. This was observed when bots where trying to find weaknesses on our live environment. A lot of notices :-)

Steps to reproduce

Append the following string to a path where facets are active

?f[0][1]

Proposed resolution

In the file facets/src/Plugin/facets/url_processor/QueryString.php in the function initializeActiveFilters a check should be added to make sure the f parameter is not nested more then one level otherwise the explode function and further will throw notices.

@@ -228,6 +228,11 @@ protected function initializeActiveFilters() {

// Explode the active params on the separator.
foreach ($active_params as $param) {
+ //make sure $param is a string
+ if (!is_string($param)) {
+ continue;
+ }
+
$explosion = explode($this->getSeparator(), $param);
$url_alias = array_shift($explosion);
$facet_id = $this->getFacetIdByUrlAlias($url_alias, $facet_source_id);

This was tested on 8.x-1.8.

🐛 Bug report
Status

Fixed

Version

2.0

Component

Code

Created by

🇧🇪Belgium paulvb

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024