Example, You can get warning if you fake name field in login form.
This applies to a lot of Drupal form and can potentially cause security problems.

The most common errors messages:

  • Warning: htmlspecialchars() expects parameter 1 to be string, array given in check_plain() (line 1348 of .../includes/bootstrap.inc).
  • Warning: trim() expects parameter 1 to be string, array given in comment_submit() (line 2159 of .../modules/comment/comment.module).
  • Warning: mb_strlen() expects parameter 1 to be string, array given in drupal_strlen() (line 441 of .../includes/unicode.inc).
  • Warning: Invalid argument supplied for foreach() in drupal_explode_tags() (line 7083 of .../includes/common.inc).
  • Warning: array_unique() expects parameter 1 to be array, null given in drupal_explode_tags() (line 7080 of .../includes/common.inc).
  • Warning: preg_match_all() expects parameter 2 to be string, array given in drupal_explode_tags() (line 7079 of .../includes/common.inc).
  • Warning: strpos() expects parameter 1 to be string, array given in user_validate_name() (line 626 of .../modules/user/user.module).
  • Warning: substr() expects parameter 1 to be string, array given in user_validate_name() (line 623 of .../modules/user/user.module).
  • Warning: addcslashes() expects parameter 1 to be string, array given in DatabaseConnection->escapeLike() (line 965 of .../includes/database\database.inc).

There is related issue #1242472: Invalid type of $_GET variables causes PHP warnings and notices when treated as strings

Comments

Dave Reid’s picture

Status: Active » Closed (won't fix)

This issue should be solved exactly like the $_GET issue:

Garbage in, garbage out. Unless there's a security issue involved, this won't fix. Fix the calling code instead.

Chi’s picture

So we are waiting for a security issue.

xjm’s picture

I don't think there is any reason to anticipate a security issue.

Chi’s picture

Version: 8.0.x-dev » 8.6.x-dev
Status: Closed (won't fix) » Active
Related issues: +#1242472: Invalid type of $_GET variables causes PHP warnings and notices when treated as strings

It's time to rethink this as the security issue has come.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

catch’s picture