Inspired by the work and analysis taking place in 🐛 preg_split in _filter_url breaks for long html tags Fixed it becomes clear that testing codes as well as the actual codes from core would benefit from having type-safe preg_* replacements.
The silent failing of preg_* functions causes critical issues that are difficult (but not impossible) to figure out as well as capture in tests.
@see 🐛 preg_split in _filter_url breaks for long html tags Fixed and !2862 mergeable
Scan and replace all preg_* function calls with their equivalent Composer\Pcre\Preg::* method
Additionally, update/extend tests that were trying to capture failures (based on FALSE/NULL return values) and can now expect a known exception.
An example @see the approach taken in the MR =>
!2865 mergeable
Active
11.0 🔥
composer
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Adding the "Security improvements" tag because I think this would make it a bit easier to prevent some ReDos vulnerabilities (because reaching the backtrack limit would now trigger an exception that can be catched instead of retuning NULL silently, which can sometimes be dangerous depending on where this NULL result is then used).