Contrib.social

Infinite recursion from REST 406 handling

Open on Drupal.org β†’
Created on 13 April 2025, 20 days ago

Problem/Motivation

This was originally reported to the security team but it was decided it could be handled in a public issue.

Steps to Reproduce:
1. On a Fresh Drupal Install of 10.x Enable the RESTful Web Services Module
and Views module

2. Create a new Views Rest Export without any Contextual filters
a. In my test, my rest export was configured to only return the fields of
article content, no filters were applied.
b. Path to my rest export is called: '/rest_export'

3. Access your rest export without specifying the _format parameter and add
additional path segment(s) when none are expected.
a. For example: If the path to your rest_export is '/rest_export', the
intended way to access your resource would be:
'http://mysite.com/rest_export?_format=json' however if someone attempts to
access, http://mysite.com/rest_export/test the issue will occur.

If this route is accessed in this way the Drupal logs are filled up with
Client Errors throwing
Symfony\Component\HttpKernel\Exception\NotAcceptableHttpException until a PHP
timeout is reached or memory is exhausted.

Expected behavior: Throw a 404 or Client Error and stop processing.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

πŸ› Bug report
Status

Active

Version

11.0 πŸ”₯

Component

base system

Created by

πŸ‡¬πŸ‡§United Kingdom catch

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024