Contrib.social

Byte strings in message placeholders causing Rollbar to log NULL messages

Open on Drupal.org →
Created on 26 May 2025, 13 days ago

Problem/Motivation

When there are errors with binary strings as message placeholders, the Rollbar logs the error, but error message is 'null'.

Steps to reproduce

Say you have a page built with a view and with an exposed filter "example". If you visit the page as usual or provide existing filtering option, there will be no error:

/page?example=1

If you try to provide non-existing filtering option like this:

/page?example=random-value

You'd get an error:

"The submitted value random-value in the Example element is not allowed."

So far Rollbar will be working fine. But if an attacker submits a binary string as an argument:

page?example%5B25%5D=1%00%C0%A7%C0%A2%252527%252522

The resulting message will be:

b"The submitted value 1\x00ˤˢ%2527%2522 in the Example element is not allowed."

Rollbar will try to log this message, but message body will be logged as null (see attachment).

Proposed resolution

Replace message placeholders, the way DB log does, using FormattableMarkup class.

🐛 Bug report
Status

Needs work

Version

2.1

Component

Code

Created by

🇰🇬Kyrgyzstan elaman

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024