Skip to content
Snippets Groups Projects
Commit 3ddc2e03 authored by catch's avatar catch
Browse files

Issue #3264050 by neclimdul, andypost: Fuzzed tag values to...

Issue #3264050 by neclimdul, andypost: Fuzzed tag values to EntityAutocompleteController::handleAutocomplete can cause deprecation warning
parent a0c44ff8
No related branches found
No related tags found
No related merge requests found
......@@ -79,27 +79,29 @@ public function handleAutocomplete(Request $request, $target_type, $selection_ha
$matches = [];
// Get the typed string from the URL, if it exists.
if ($input = $request->query->get('q')) {
$typed_string = Tags::explode($input);
$typed_string = mb_strtolower(array_pop($typed_string));
$tag_list = Tags::explode($input);
if (!empty($tag_list)) {
$typed_string = mb_strtolower(array_pop($tag_list));
// Selection settings are passed in as a hashed key of a serialized array
// stored in the key/value store.
$selection_settings = $this->keyValue->get($selection_settings_key, FALSE);
if ($selection_settings !== FALSE) {
$selection_settings_hash = Crypt::hmacBase64(serialize($selection_settings) . $target_type . $selection_handler, Settings::getHashSalt());
if (!hash_equals($selection_settings_hash, $selection_settings_key)) {
// Disallow access when the selection settings hash does not match the
// passed-in key.
throw new AccessDeniedHttpException('Invalid selection settings key.');
// Selection settings are passed in as a hashed key of a serialized array
// stored in the key/value store.
$selection_settings = $this->keyValue->get($selection_settings_key, FALSE);
if ($selection_settings !== FALSE) {
$selection_settings_hash = Crypt::hmacBase64(serialize($selection_settings) . $target_type . $selection_handler, Settings::getHashSalt());
if (!hash_equals($selection_settings_hash, $selection_settings_key)) {
// Disallow access when the selection settings hash does not match the
// passed-in key.
throw new AccessDeniedHttpException('Invalid selection settings key.');
}
}
else {
// Disallow access when the selection settings key is not found in the
// key/value store.
throw new AccessDeniedHttpException();
}
}
else {
// Disallow access when the selection settings key is not found in the
// key/value store.
throw new AccessDeniedHttpException();
}
$matches = $this->matcher->getMatches($target_type, $selection_handler, $selection_settings, $typed_string);
$matches = $this->matcher->getMatches($target_type, $selection_handler, $selection_settings, $typed_string);
}
}
return new JsonResponse($matches);
......
......@@ -88,6 +88,10 @@ public function testEntityReferenceAutocompletion() {
'label' => Html::escape($entity_3->name->value),
];
$this->assertSame($target, reset($data), 'Autocomplete returns an entity label containing a comma and a slash.');
$input = '"l!J>&Tw';
$data = $this->getAutocompleteResult($input);
$this->assertSame([], $data, 'Autocomplete of invalid string returns empty result');
}
/**
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment