An end user can trigger a Warning by passing an array rather than simple string as the q param in the URL . e.g. ?q[]=x

This seems not to affect Drupal 8, but only Drupal 7 and below.

A simple fix is to either cast $_GET['q'] to a string, or set it to the empty string if it's not a string.

Files: 
CommentFileSizeAuthor
#6 1576300-6.patch412 bytesAlbert Volkman
FAILED: [[SimpleTest]]: [MySQL] 190 pass(es), 0 fail(s), and 220 exception(s). View
#1 1576300-1.patch533 bytespwolanin
PASSED: [[SimpleTest]]: [MySQL] 39,125 pass(es). View

Comments

pwolanin’s picture

Status: Active » Needs review
FileSize
533 bytes
PASSED: [[SimpleTest]]: [MySQL] 39,125 pass(es). View

Here's a simple fix to ignore the 'q' param if it's not a string.

greggles’s picture

Given the history of problems with Drupal responding to URLs it shouldn't...perhaps the answer should be to 404 in this case?

pwolanin’s picture

Well, I can put in any number of query params that Drupal ignores, so I think ignoring it is a reasonable reaction here. Short of casting to the string 'Array' I don't see any easy way to throw a 404.

greggles’s picture

Status: Needs review » Reviewed & tested by the community

Fair point. Thanks.

David_Rothstein’s picture

Version: 7.x-dev » 6.x-dev
Status: Reviewed & tested by the community » Patch (to be ported)
Issue tags: +needs backport to D6

Thanks! Committed to 7.x: http://drupalcode.org/project/drupal.git/commit/da11da0

This could potentially be backported to Drupal 6.

Albert Volkman’s picture

Status: Patch (to be ported) » Needs review
FileSize
412 bytes
FAILED: [[SimpleTest]]: [MySQL] 190 pass(es), 0 fail(s), and 220 exception(s). View

Not sure if this is the proper place to test this?

greggles’s picture

Status: Needs review » Reviewed & tested by the community

I don't think it needs tests.

Albert Volkman’s picture

Eh, I meant test as in testing the value with the in_string() method.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 6: 1576300-6.patch, failed testing.

Status: Needs work » Needs review

greggles queued 6: 1576300-6.patch for re-testing.

Status: Needs review » Needs work

The last submitted patch, 6: 1576300-6.patch, failed testing.

Status: Needs work » Closed (outdated)

Automatically closed because Drupal 6 is no longer supported. If the issue verifiably applies to later versions, please reopen with details and update the version.