Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
An end user can trigger a Warning by passing an array rather than simple string as the q param in the URL . e.g. ?q[]=x
This seems not to affect Drupal 8, but only Drupal 7 and below.
A simple fix is to either cast $_GET['q'] to a string, or set it to the empty string if it's not a string.
Comment | File | Size | Author |
---|---|---|---|
#6 | 1576300-6.patch | 412 bytes | Albert Volkman |
#1 | 1576300-1.patch | 533 bytes | pwolanin |
Comments
Comment #1
pwolanin CreditAttribution: pwolanin commentedHere's a simple fix to ignore the 'q' param if it's not a string.
Comment #2
gregglesGiven the history of problems with Drupal responding to URLs it shouldn't...perhaps the answer should be to 404 in this case?
Comment #3
pwolanin CreditAttribution: pwolanin commentedWell, I can put in any number of query params that Drupal ignores, so I think ignoring it is a reasonable reaction here. Short of casting to the string 'Array' I don't see any easy way to throw a 404.
Comment #4
gregglesFair point. Thanks.
Comment #5
David_Rothstein CreditAttribution: David_Rothstein commentedThanks! Committed to 7.x: http://drupalcode.org/project/drupal.git/commit/da11da0
This could potentially be backported to Drupal 6.
Comment #6
Albert Volkman CreditAttribution: Albert Volkman commentedNot sure if this is the proper place to test this?
Comment #7
gregglesI don't think it needs tests.
Comment #8
Albert Volkman CreditAttribution: Albert Volkman commentedEh, I meant test as in testing the value with the in_string() method.
Comment #13
dsnopekThis issue is apparently still reported by security scanners as CVE-2012-2922, so it probably makes sense to address. That said, this is a pretty minor issue.
Comment #14
roderikThis patch is clearly safe / without side effects.
Plus it is growing a little 'less minor', because a request with ?q[]=x will now cause a
Fatal error: Uncaught TypeError: trim(): Argument #1 ($string) must be of type string, array given in ...
on PHP8 with unpatched code.Comment #15
izmeez CreditAttribution: izmeez commentedWe have used the patch in #6 on sites for a long time now.
Comment #16
dsnopekThanks!
Committed:
https://github.com/d6lts/drupal/commit/93769a5ec6f9f2f4e958ee755f5f8a58e...