An end user can trigger a Warning by passing an array rather than simple string as the q param in the URL . e.g. ?q[]=x

This seems not to affect Drupal 8, but only Drupal 7 and below.

A simple fix is to either cast $_GET['q'] to a string, or set it to the empty string if it's not a string.

Files: 
CommentFileSizeAuthor
#6 1576300-6.patch412 bytesAlbert Volkman
PASSED: [[SimpleTest]]: [MySQL] 190 pass(es).
[ View ]
#1 1576300-1.patch533 bytespwolanin
PASSED: [[SimpleTest]]: [MySQL] 39,125 pass(es).
[ View ]

Comments

Status:Active» Needs review
StatusFileSize
new533 bytes
PASSED: [[SimpleTest]]: [MySQL] 39,125 pass(es).
[ View ]

Here's a simple fix to ignore the 'q' param if it's not a string.

Given the history of problems with Drupal responding to URLs it shouldn't...perhaps the answer should be to 404 in this case?

Well, I can put in any number of query params that Drupal ignores, so I think ignoring it is a reasonable reaction here. Short of casting to the string 'Array' I don't see any easy way to throw a 404.

Status:Needs review» Reviewed & tested by the community

Fair point. Thanks.

Version:7.x-dev» 6.x-dev
Status:Reviewed & tested by the community» Patch (to be ported)
Issue tags:+needs backport to D6

Thanks! Committed to 7.x: http://drupalcode.org/project/drupal.git/commit/da11da0

This could potentially be backported to Drupal 6.

Status:Patch (to be ported)» Needs review
StatusFileSize
new412 bytes
PASSED: [[SimpleTest]]: [MySQL] 190 pass(es).
[ View ]

Not sure if this is the proper place to test this?

Status:Needs review» Reviewed & tested by the community

I don't think it needs tests.

Eh, I meant test as in testing the value with the in_string() method.