Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
When you send a request using Accept: application/json, the response is "A fatal error occurred: The Response content must be a string or object implementing __toString()".
In the similar onAjax function, the page_callback_result is sent through ajax_render(). Doing the same in the onJson function removes the error. This is because the last thing ajax_render does is pass the object through drupal_json_encode.
Proposed resolution
Pass the object through drupal_json_encode.
Comment | File | Size | Author |
---|---|---|---|
#6 | 1751328-05-json-response.patch | 678 bytes | Hanspolo |
#2 | 1751328-02-json-response.patch | 586 bytes | linclark |
#1 | 1751328-01-json-response.patch | 609 bytes | linclark |
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedThis patch resolves the issue.
It can be tested by running "curl -H "Accept: application/json" http://localhost/drupal/node/1" in the command line.
Comment #2
Anonymous (not verified) CreditAttribution: Anonymous commentedAnother way (probably better) to solve this is to use the JsonResponse object's setData() instead of setContent().
Comment #3
larowlanComment #4
Anonymous (not verified) CreditAttribution: Anonymous commentedInstead of calling setData, we can actually pass the array in as the first parameter when constructing the Response object.
Comment #5
Crell CreditAttribution: Crell commentedIf we have an array, yes. Are you saying #2 doesn't work? The bot says it does, and it seems a simple enough fix.
Comment #6
Hanspolo CreditAttribution: Hanspolo commentedHere is another patch.
It calls the constructor with the data.
Using the data instead of content works fine with arrays.
Non-array data works as with the setContent() method.
Comment #7
patrickd CreditAttribution: patrickd commentedTested:
#1 works
#2 works <-- I personally prefere this one
#6 works
Comment #8
Dries CreditAttribution: Dries commentedCommitted #2 to 8.x. Thanks!
Comment #9
smartinm CreditAttribution: smartinm commentedIMHO this patch could introduce a security flaw: anyone can view the internal structure of a node. For example:
$ curl -H "Accept: application/json" http://localhost/sandbox/drupal-8.x/node/7
Returns a string that contains a JSON representation of the node object:
Comment #10
smartinm CreditAttribution: smartinm commentedComment #11
Crell CreditAttribution: Crell commentedI'm not clear how this issue introduces a sec. hole. This just fixes a bug. Right now, er, I'm not actually sure how we're returning JSON forms of nodes yet. :-)
Comment #12
smartinm CreditAttribution: smartinm commentedYou're right, the bugfix for this issue is correct but the patch has highlighted the security hole. I think the behavior of the new routing system when matching by HTTP Accept header can be an information disclosure threat.
Comment #13
Crell CreditAttribution: Crell commentedWe're not matching by accept header yet.
This sounds like a new issue is needed. If you can, please make a test case that shows the hole and file it as a new issue, tagging it WSCCI and security. Thanks.
Comment #14.0
(not verified) CreditAttribution: commentedUpdated the issue summary with new information.