So the 5th argument in the url sent to anonymous user is a key that is created in search_api_saved_searches.search_entity.inc on line 116 $this->options['key'] = base64_encode(drupal_random_bytes(12));. The problem is that it is creating arguments with forward slashes. This is creating some interesting URLs such as /search-api/saved-search/5/activate/BEgbGXW8y/muRigF, /search-api/saved-search/3/activate/yXK/1hLRktd5utjw, and /search-api/saved-search/4/activate/DRC/yQCJGPMAreph. Of course, because of the forward slash the key which for example might be DRC/yQCJGPMAreph is not being used to validate access but just DRC in this case.

After a couple minutes of research...... I found drupal_hash_base64.

After a couple minutes of mystically learning Git bash.... here is a patch.

CommentFileSizeAuthor
idontknowhowtoname.patch626 bytesAdam S

Comments

drunken monkey’s picture

drunken monkey
he/him
Primary language German
Location Vienna, Austria
commented
Title: base64_encode is a bad function to use to make keys with -- it likes to use forward slashes » Fix base64 encoding of access keys
Priority: Critical » Major
Status: Active » Needs review

Oh, thanks a lot for spotting this! Hadn't thought of that …
Any objections to the patch? Otherwise, I'll commit it in the next few days.

drunken monkey’s picture

drunken monkey
he/him
Primary language German
Location Vienna, Austria
commented
Status: Needs review » Fixed

OK, committed. Thanks again for your help!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.