Contrib.social

Validate view_name in ajaxView()

Open on Drupal.org β†’
Created on 29 June 2024, 2 months ago
Updated 4 August 2024, about 1 month ago

Problem/Motivation

Similar to Validating String Encodings Before Insert πŸ“Œ Validating String Encodings Before Insert Active , a malicious user tried to change an sql query by manipulating the url of an ajax call which resulted in the following error:

Drupal\Core\Database\DatabaseExceptionWrapper: SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (ascii_general_ci,IMPLICIT) and (utf8mb4_general_ci,COERCIBLE) for operation '=': SELECT "name", "data" FROM "config" WHERE "collection" = :collection AND "name" IN ( :names__0 ); Array
(
    [:collection] =>
    [:names__0] => views.view.awards鎈'"\(
)
 in Drupal\Core\Config\DatabaseStorage->readMultiple() (line 111 of /var/www/<site>/public/core/lib/Drupal/Core/Config/DatabaseStorage.php).

Steps to reproduce

To reproduce this, you can just hit this url: https:///views/ajax?view_name=awards鎈'"\(&view_display_id=page_1&_drupal_ajax=1
..and pass in some weird character with the view name (in this case the user passed in the view name 'awards' with some (chinese??) character and some other characters after it.

Proposed resolution

Validate the view_name inside ViewAjaxController::ajaxView() before Drupal tries to use it to load a config entity.

πŸ› Bug report
Status

Needs work

Version

11.0 πŸ”₯

Component
ViewsΒ  β†’

Last updated about 12 hours ago

Created by

ramil g

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024