Skip to content
Snippets Groups Projects
Commit 3ddc2e03 authored by catch's avatar catch
Browse files

Issue #3264050 by neclimdul, andypost: Fuzzed tag values to... 

Issue #3264050 by neclimdul, andypost: Fuzzed tag values to EntityAutocompleteController::handleAutocomplete can cause deprecation warning
parent a0c44ff8
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
core/modules/system/src/Controller/EntityAutocompleteController.php
+ 20
18
View file @ 3ddc2e03
...@@ -79,27 +79,29 @@ public function handleAutocomplete(Request $request, $target_type, $selection_ha ...@@ -79,27 +79,29 @@ public function handleAutocomplete(Request $request, $target_type, $selection_ha
$matches = []; $matches = [];
// Get the typed string from the URL, if it exists. // Get the typed string from the URL, if it exists.
if ($input = $request->query->get('q')) { if ($input = $request->query->get('q')) {
$typed_string = Tags::explode($input); $tag_list = Tags::explode($input);
$typed_string = mb_strtolower(array_pop($typed_string)); if (!empty($tag_list)) {
$typed_string = mb_strtolower(array_pop($tag_list));
// Selection settings are passed in as a hashed key of a serialized array // Selection settings are passed in as a hashed key of a serialized array
// stored in the key/value store. // stored in the key/value store.
$selection_settings = $this->keyValue->get($selection_settings_key, FALSE); $selection_settings = $this->keyValue->get($selection_settings_key, FALSE);
if ($selection_settings !== FALSE) { if ($selection_settings !== FALSE) {
$selection_settings_hash = Crypt::hmacBase64(serialize($selection_settings) . $target_type . $selection_handler, Settings::getHashSalt()); $selection_settings_hash = Crypt::hmacBase64(serialize($selection_settings) . $target_type . $selection_handler, Settings::getHashSalt());
if (!hash_equals($selection_settings_hash, $selection_settings_key)) { if (!hash_equals($selection_settings_hash, $selection_settings_key)) {
// Disallow access when the selection settings hash does not match the // Disallow access when the selection settings hash does not match the
// passed-in key. // passed-in key.
throw new AccessDeniedHttpException('Invalid selection settings key.'); throw new AccessDeniedHttpException('Invalid selection settings key.');
}
}
else {
// Disallow access when the selection settings key is not found in the
// key/value store.
throw new AccessDeniedHttpException();
} }
}
else {
// Disallow access when the selection settings key is not found in the
// key/value store.
throw new AccessDeniedHttpException();
}
$matches = $this->matcher->getMatches($target_type, $selection_handler, $selection_settings, $typed_string); $matches = $this->matcher->getMatches($target_type, $selection_handler, $selection_settings, $typed_string);
}
} }
return new JsonResponse($matches); return new JsonResponse($matches);
......
core/tests/Drupal/KernelTests/Core/Entity/EntityAutocompleteTest.php
+ 4
0
View file @ 3ddc2e03
...@@ -88,6 +88,10 @@ public function testEntityReferenceAutocompletion() { ...@@ -88,6 +88,10 @@ public function testEntityReferenceAutocompletion() {
'label' => Html::escape($entity_3->name->value), 'label' => Html::escape($entity_3->name->value),
]; ];
$this->assertSame($target, reset($data), 'Autocomplete returns an entity label containing a comma and a slash.'); $this->assertSame($target, reset($data), 'Autocomplete returns an entity label containing a comma and a slash.');
$input = '"l!J>&Tw';
$data = $this->getAutocompleteResult($input);
$this->assertSame([], $data, 'Autocomplete of invalid string returns empty result');
} }
/** /**
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment