Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By dirke on
Hi,
Recently I received a message from my hosting provider regarding a vulnerability in two websites running Drupal 11.3.10:
The vulnerability (a code-injection) has been found in the database-environment of your Drupal install, in the file: condition.php.
That was patched by patchman they run automatically. It appears to be a vulnerability still present in the latest version of Drupal. Because after creating a fresh 11.3.10 install on a subdomain, I receive the exact same alert.
That's why I post this here, so it can be taken up and fixed ASAP.
Dirk Engelage
Comments
There are multiple files name
There are multiple files name Condition.php in Drupal core. Which one was it referring to?
Their message is confusing, because they said it's a problem in your database, but then supplied a filename - and files are not the database. Can you post the exact message they gave you, or ask for more info?
Contact me to contract me for D7 -> D10/11 migrations.
Here perhaps ...
Hi Jaypan,
The only thing I can find on short noticce is the location within Drupal on my website:
.../[subdomain]core/lib/Drupal/Core/Entity/Query/Sql/pgsql/Condition.php
I'll try to find out what exactly patchman found and what specific action was taken.
FYI, these are the contents of the file mentioned (maybe the trouble is in the part starting with@trigger error or @deprecated, but what do I know) :
<?php
namespace Drupal\Core\Entity\Query\Sql\pgsql;
use Drupal\Core\Database\Query\SelectInterface;
use Drupal\Core\Entity\Query\Sql\Condition as BaseCondition;
@trigger_error('\Drupal\Core\Entity\Query\Sql\pgsql\Condition is deprecated in drupal:11.2.0 and is removed from drupal:12.0.0. The PostgreSQL override of the entity query has been moved to the pgsql module. See https://www.drupal.org/node/3488580', E_USER_DEPRECATED);
/**
* Implements entity query conditions for PostgreSQL databases.
*
* @deprecated in drupal:11.2.0 and is removed from drupal:12.0.0. The
* PostgreSQL override of the entity query has been moved to the pgsql module.
*
* @see https://www.drupal.org/node/3488580
*/
class Condition extends BaseCondition {
/**
* {@inheritdoc}
*/
public static function translateCondition(&$condition, SelectInterface $sql_query, $case_sensitive) {
if (is_array($condition['value']) && $case_sensitive === FALSE) {
$condition['where'] = 'LOWER(' . $sql_query->escapeField($condition['real_field']) . ') ' . $condition['operator'] . ' (';
$condition['where_args'] = [];
// Only use the array values in case an associative array is passed as an
// argument following similar pattern in
// \Drupal\Core\Database\Connection::expandArguments().
$where_prefix = str_replace('.', '_', $condition['real_field']);
foreach (array_values($condition['value']) as $key => $value) {
$where_id = $where_prefix . $key;
$condition['where'] .= 'LOWER(:' . $where_id . '),';
$condition['where_args'][':' . $where_id] = $value;
}
$condition['where'] = trim($condition['where'], ',');
$condition['where'] .= ')';
}
parent::translateCondition($condition, $sql_query, $case_sensitive);
}
}
Is your database PGSQL?
Is your database PGSQL?
Contact me to contract me for D7 -> D10/11 migrations.
Database
Hi jaypan,
MariaDB, does that mean anything to you? I thought it was MySQL, bit in the detailed site info it refers to MariaDB.
Dirk
MariaDB is the open source
MariaDB is the open source MySQL .
The file you showed was for PGSQL though.
I don't think we have enough info to even be able to report anything. If you can get the company to tell you the exact file path, as well as the error they were patching for, we could create a report. But it's a bit too vague at this moment to figure out what your company was referring to.
Contact me to contract me for D7 -> D10/11 migrations.
Working on it ...
Hi,
The path is what I found in the patchman report of my site (in fact two subdomains running this version of Drupal showing the same path). No more patchman details could be found there, so I already requested more detailed info. As soon as I have received that information I will of course share it here,
It appears that the security
It appears that the security vulnerability is a postgresql vulnerability in Drupal versions up to 11.3.9. So the solution is to upgrade to 11.3.10: https://www.drupal.org/project/drupal/releases/11.3.10
What's strange is you say your sites are already on 11.3.10. Are you sure?
Contact me to contract me for D7 -> D10/11 migrations.
Sure indeed!
Hi jaypan,
Thanks again for your attention! The vulnerability appears to have been still present in 11.3.10, because after updating to that version (mostly automated, as I want te be up to speed with updates as soon and as much as possible, just because of possible vulnerabilities) ... so after updating to .10 I once again received a message that patchman found exactly that vulnerability and repaired it. Since updating to 11.3.11 (a couple of days ago) no alarm bells have been ringing, so I concluded that the 'problem' had been repaired, and have communicated that observation with my hosting provider. I'll let them know that you found it to be a postgresql vulnerablity and repaired it.
Thanks for the good work! Much appreciated!
Dirk