Issue #3264050 by neclimdul, andypost: Fuzzed tag values to...

Issue #3264050 by neclimdul, andypost: Fuzzed tag values to EntityAutocompleteController::handleAutocomplete can cause deprecation warning

Issue #3264050 by neclimdul, andypost: Fuzzed tag values to...
3ddc2e03 · catch · a0c44ff8 · 3ddc2e03 · 3ddc2e03
Commit 3ddc2e03 authored 3 years ago by catch
--- a/core/modules/system/src/Controller/EntityAutocompleteController.php
+++ b/core/modules/system/src/Controller/EntityAutocompleteController.php
@@ -79,27 +79,29 @@ public function handleAutocomplete(Request $request, $target_type, $selection_ha
    $matches = [];
    // Get the typed string from the URL, if it exists.
    if ($input = $request->query->get('q')) {
-      $typed_string = Tags::explode($input);
-      $typed_string = mb_strtolower(array_pop($typed_string));
+      $tag_list = Tags::explode($input);
+      if (!empty($tag_list)) {
+        $typed_string = mb_strtolower(array_pop($tag_list));

-      // Selection settings are passed in as a hashed key of a serialized array
-      // stored in the key/value store.
-      $selection_settings = $this->keyValue->get($selection_settings_key, FALSE);
-      if ($selection_settings !== FALSE) {
-        $selection_settings_hash = Crypt::hmacBase64(serialize($selection_settings) . $target_type . $selection_handler, Settings::getHashSalt());
-        if (!hash_equals($selection_settings_hash, $selection_settings_key)) {
-          // Disallow access when the selection settings hash does not match the
-          // passed-in key.
-          throw new AccessDeniedHttpException('Invalid selection settings key.');
+        // Selection settings are passed in as a hashed key of a serialized array
+        // stored in the key/value store.
+        $selection_settings = $this->keyValue->get($selection_settings_key, FALSE);
+        if ($selection_settings !== FALSE) {
+          $selection_settings_hash = Crypt::hmacBase64(serialize($selection_settings) . $target_type . $selection_handler, Settings::getHashSalt());
+          if (!hash_equals($selection_settings_hash, $selection_settings_key)) {
+            // Disallow access when the selection settings hash does not match the
+            // passed-in key.
+            throw new AccessDeniedHttpException('Invalid selection settings key.');
+          }
+        }
+        else {
+          // Disallow access when the selection settings key is not found in the
+          // key/value store.
+          throw new AccessDeniedHttpException();
        }
-      }
-      else {
-        // Disallow access when the selection settings key is not found in the
-        // key/value store.
-        throw new AccessDeniedHttpException();
-      }

-      $matches = $this->matcher->getMatches($target_type, $selection_handler, $selection_settings, $typed_string);
+        $matches = $this->matcher->getMatches($target_type, $selection_handler, $selection_settings, $typed_string);
+      }
    }

    return new JsonResponse($matches);

--- a/core/tests/Drupal/KernelTests/Core/Entity/EntityAutocompleteTest.php
+++ b/core/tests/Drupal/KernelTests/Core/Entity/EntityAutocompleteTest.php
@@ -88,6 +88,10 @@ public function testEntityReferenceAutocompletion() {
      'label' => Html::escape($entity_3->name->value),
    ];
    $this->assertSame($target, reset($data), 'Autocomplete returns an entity label containing a comma and a slash.');
+
+    $input = '"l!J>&Tw';
+    $data = $this->getAutocompleteResult($input);
+    $this->assertSame([], $data, 'Autocomplete of invalid string returns empty result');
  }

  /**