This was initially an issue at security.drupal.org, but was decided to resolve it publicly.
If a contrib/custom module adds a constraint to an entity reference field, and the media library widget is used, the constraints are never validated. Depending on the constraint that might lead to information disclosure.
1. Install core standard.
2. Enable media library.
3. Enable the contrib entity_reference_validator.
4. Add a multivalued entity reference to media in Article.
5. Edit the Article edit form to use the media library widget for that field, and enable "avoid duplicates" (via the entity_reference_validator)
6. Create a new Article and reference a media twice.
7. Verify that the constraint was never triggered and it will allow you to save it.
The problem comes because WidgetBase::flagErrors does:
$error_element = $this->errorElement($delta_element, $violation, $form, $form_state);
if ($error_element !== FALSE) {
$form_state->setError($error_element, $violation->getMessage());
}
MediaLibraryWidget::errorElement has return $element['target_id'] ?? FALSE;
But somehow it's reaching with the parent form element when I debug this.
A incomplete-but-working-fix is
public function errorElement(array $element, ConstraintViolationInterface $error, array $form, FormStateInterface $form_state) {
if (isset($element['selection'])) {
return $element['selection'];
}
return $element['target_id'] ?? FALSE;
}
TBD
TBD
TBD
TBD
TBD
TBD
Active
10.4 β¨
Last updated
Maybe you could try breaking down the target_id further in the errorElement function to see if something is being missed in the validation. I'm referring to checking or adjusting the structure of $element before it reaches the check, in case there's any data not being handled correctly
Changes are made on on 11.x (our main development branch) first, and are then back ported as needed according to our policies.