Contrib.social

Arbitrarily many facets can still be used if the `limit` is skipped

Open on Drupal.org β†’
Created on 10 June 2025, about 2 months ago

Problem/Motivation

The module presently determines if the limit has been reached by checking for the existence of $_GET['f'][{limit}], where {limit} is the configured limit: https://git.drupalcode.org/project/facet_bot_blocker/-/blob/8c0f01963408...

The limit can be exceeded by manually skipping the given offset, changing $_GET['f'][{limit}] to $_GET['f'][{limit + (n > 0)}]. While links generated in a page might not natively be constructed in such a manner, it's a relatively simple change that might be made in the URL. that doesn't seem unreasonable that some bots might attempt

Steps to reproduce

Enabled/configure module.
Navigate such that the limit is reached.
Alter the GET query parameter on the limit to be past the limit, manually.

Proposed resolution

Change to count the number of entries in $_GET['f'] to determine if the limit has been reached, instead of probing a single offset.

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡¨πŸ‡¦Canada adam-vessey PE, Canada

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024