500 error thrown if supplied uses an encoding that breaks the JSON format in the response

Created on 19 November 2024, 3 months ago

Problem/Motivation

Our site experienced an interesting attack attempt. The attacker hit multiple URLs of the form:

/router/translate-path?path=some-path%2F%D051b4c001%22d051b4c001%3Dd051b4c001%25 where some-path is actually a valid Drupal path.

Eventually, we saw a rise on 500 errors triggered by this module:

Uncaught PHP Exception InvalidArgumentException: "Malformed UTF-8 characters, possibly incorrectly encoded" at /var/www/html/vendor/symfony/http-foundation/JsonResponse.php line 142

Proposed resolution

Attempt to decode the path to UTF-8 if the mbstring extension is available.

🐛 Bug report

Status

Active

Version

2.0

Component

Code

Created by

🇨🇴Colombia ibustos Bogotá D.C.

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @ibustos
Comment 3 months ago →
🇨🇴Colombia ibustos Bogotá D.C.
Comment 3 months ago →
🇨🇴Colombia ibustos Bogotá D.C.
ibustos → changed the visibility of the branch 2.x to hidden.
Comment 3 months ago →
🇨🇴Colombia ibustos Bogotá D.C.
Added patch. Missing test.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024