Add validation of langcode in MachineNameController

Created on 1 August 2024, 3 months ago
Updated 8 August 2024, 3 months ago

Problem/Motivation

In 10.2 we deprecated \Drupal\system\MachineNameController::transliterate
However it is possible to trigger a 500 exception by passing an array for the text or langcode query params.
We should catch that and return a 400 or similar rather than a 500.

This was originally reported to the security team but has been cleared to be a public issue.

Steps to reproduce

Proposed resolution

Add try/catch for \Symfony\Component\HttpFoundation\Exception\BadRequestException around these lines in \Drupal\system\MachineNameController::transliterate:

$text = $request->query->get('text');
    $langcode = $request->query->get('langcode');
    $replace_pattern = $request->query->get('replace_pattern');
    $replace_token = $request->query->get('replace_token');
    $replace = $request->query->get('replace');
    $lowercase = $request->query->get('lowercase');

This is a 10.x only issue as the controller has been removed in 11.x

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

📌 Task
Status

Closed: outdated

Version

10.3

Component
Base 

Last updated about 6 hours ago

Created by

🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Novice

    It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @larowlan
  • First commit to issue fork.
  • Pipeline finished with Failed
    3 months ago
    Total: 480s
    #241226
  • Pipeline finished with Failed
    3 months ago
    Total: 450s
    #241237
  • 🇺🇸United States benjifisher Boston area

    @larowlan:

    I tested this issue with Drupal 10.2.x and 10.3.x, and I already get a 400 response (with the message "Client error") when I visit http://drupal.ddev.site/machine_name/transliterate/?langcode%5B0%5D=1&text=%D2%89. The logs show that there was a BadRequestException.

    Testing with 9.3.x, I get a server error (500 response, or maybe 503).

    @ankitv18: Thanks for working on this issue, but I think that we should close it as outdated.

    Next time, please remember to change the issue status to "Needs Review" (NR) once you have opened a merge request. Some time "soon", Drupal will switch from the current issue queue to using GitLab issues, and that step should be automatic.

  • Status changed to Closed: outdated 3 months ago
  • 🇺🇸United States benjifisher Boston area

    I confirmed with @larowlan, and we argeed to close this issue, as I suggested in my previous comment.

Production build 0.71.5 2024