Requesting a page with ?page[foo]=bla results in a fatal error on PHP 8+

Created on 7 October 2022, over 2 years ago

Updated 24 January 2025, 11 days ago

Problem/Motivation

The code assumes that page is a string, passing in an array results in a warning on PHP 7 and a fatal error on PHP 8. We discovered this because a security scanner on one of our websites triggered a lot of those errors.

Steps to reproduce

Visit /node?page[foo]=bla:

The website encountered an unexpected error. Please try again later.
TypeError: explode(): Argument #2 ($string) must be of type string, array given in explode() (line 58 of core/lib/Drupal/Core/Pager/PagerParameters.php).

explode() (Line: 58)
Drupal\Core\Pager\PagerParameters->getPagerQuery() (Line: 49)
Drupal\Core\Pager\PagerParameters->findPage() (Line: 304)
Drupal\views\Plugin\views\pager\SqlBase->setCurrentPage() (Line: 929)
Drupal\views\ViewExecutable->initPager() (Line: 1444)
Drupal\views\Plugin\views\query\Sql->build() (Line: 1321)
Drupal\views\ViewExecutable->build() (Line: 392)

Proposed resolution

Ignore non-string page query parameters.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Closed: duplicate

Version

11.0 🔥

Component

base system

Created by

🇨🇭Switzerland berdir Switzerland

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Needs Review Queue Initiative
Used to track the progress of issues reviewed by the Drupal Needs Review Queue Initiative.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 11 days ago →
🇳🇱Netherlands johnv
🐛 Protect pager against [] for the page Needs work is older, has more activity .

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024