search.module supports passing search keywords on the URL as GET arguments, and assumes these arguments to be strings. However, arrays can be passed to php scripts through get or post method as well as strings; so we need to check the type of the variable that comes from the user submission.
For example:
This message is given after typing the following in the address bar of the browser: example.com/search/node/?keys[]
Notice: Array to string conversion in search_view() (line 23 of ...\modules\search\search.pages.inc).
In Drupal 6 the message given is this:
warning: preg_match() expects parameter 2 to be string, array given in ...\modules\search\search.module on line 672.
Check for string format before operating on the search terms. Patch in #7 implements this fix for D7 and D8.
None.
None.
Arrays can be passed to php script through get or post method as well as string. So we need check type of the variable that comes from user and contains a search query.
I got this message after typing in address bar my browser: example.com/search/node/?keys[]
Notice: Array to string conversion in search_view() (line 23 of ...\modules\search\search.pages.inc).
In Drupal 6 this message looks as
warning: preg_match() expects parameter 2 to be string, array given in ...\modules\search\search.module on line 672.
| Comment | File | Size | Author |
|---|---|---|---|
| #7 | check_search_query-1226480-2.patch | 2.26 KB | chi |
| #4 | test_only.patch | 1.7 KB | catch |
| #1 | heck_search_query-1226480-0.patch | 580 bytes | chi |
Comments
Comment #1
chi commentedI believe it has major priority because any user can discover an internal path to site installation.
Comment #2
catchPatch looks fine, do you think you could extend the existing tests or write a new one in search.test to cover this?
Comment #3
chi commentedNo, I can't. I haven't enough experience with drupal automated testing system.
Comment #4
catchOK, I wrote the test, thanks for the clear steps to reproduce. It's worth getting the hang of simpletest - trying to patch core tests is easier since they usually have some of the heavy lifting done for you (fortunately that was the case with this one so it's quite a short addition).
Uploading a patch with just the test - this should fail the test bot with an exception. After that fails please upload a combined patch with both the test and the fix.
Comment #5
catchComment #7
chi commentedComment #8
catchWhat happens if you search for a number? Should it be is_scalar() or !is_array() rather than is_string()?
Comment #9
chi commentedIt should be is_string() or !is_array() but not is_scalar() . Because type of $_REQUST['keys'] can be only string or array.
Comment #10
xjmTagging issues not yet using summary template.
Comment #11
catch#9 is right, I wrote the test but haven't touched the actual bug fix, so marking RTBC.
Comment #11.0
catchgrammar fix
Comment #11.1
mrmofo commentedIssue summary using template (by total newb).
Comment #11.2
mrmofo commentedEdit "API changes" to "none" and included Chi's original report.
Comment #12
xjmIssue summary added by mrmofo.
Comment #13
xjmSee: #1242472-15: Invalid type of $_GET variables causes PHP warnings and notices when treated as strings .
Edit: Basically, we should cast all these values as strings immediately when we assign them from
$_GET.Comment #14
xjmComment #15
xjmMarking as duplicate of #1242472: Invalid type of $_GET variables causes PHP warnings and notices when treated as strings to work on a more global solution.
Comment #16
xjmComment #17
clintthayer commentedHey folks,
Sorry to comment on a closed issue but I'm trying to track down if there was a backport fix for D6 on this issue. Looked in the dup thread mentioned #15 and not seeing anything.
Any help would be great - thanks,
c
Comment #18
clintthayer commentedNevermind... I believe this is my issue.
c
Comment #19
clintthayer commentedSorry - forgot to add the link: http://drupal.org/node/1446372
Comment #19.0
clintthayer commentedUpdated issue summary.