Contrib.social

Unescaped regular expression input in autocomplete callback

Open on Drupal.org →
Created on 21 October 2024, about 1 year ago

Problem/Motivation

(This was reported by @berdir to the security team as a private issue. Since access to the autocomplete callback requires a restricted permission, the issue can be handled in public.)

    $pattern = '/^' . $request->query->get('q') . '/i';
    $prefixMatches = preg_grep($pattern,  $categories);

This is in \Drupal\monitoring\Controller\CategoryAutocompleteController::autocomplete, the route is restricted to the administer monitoring permission which _is_ a restricted permission.

Remaining steps

Write a patch, review, commit.

Background information

🐛 Bug report
Status

Active

Version

1.0

Component

Code

Created by

🇧🇪Belgium mr.baileys 🇧🇪 (Ghent)

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024