Automated tests were not committed together with the fix since the patch was outdated. This ticket is a follow up for the security issue to add test coverage. See https://www.drupal.org/sa-core-2020-006

CommentFileSizeAuthor
#8 3096267-8.patch7.17 KBbr0ken
#2 3096267-2.patch3.47 KBbr0ken
#2 3096267-2-do-not-commit.patch2.66 KBbr0ken

Issue fork drupal-3096267

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

BR0kEN created an issue. See original summary.

br0ken’s picture

br0ken
Primary language Ukrainian
commented
Status: Active » Needs review
StatusFileSize
new 3096267-2-do-not-commit.patch2.66 KB
new 3096267-2.patch3.47 KB

3096267-2-do-not-commit.patch - visualizes the problem.
3096267-2.patch - provides a fix.

However, the Drupal\jsonapi\Entity\EntityValidationTrait::validate() with $field_names parameter is also called from Drupal\jsonapi\Controller\FileUpload::handleFileUploadForExistingResource() where the $file_field_name (used in static::validate($entity, [$file_field_name])) might be not internal name.

br0ken’s picture

br0ken
Primary language Ukrainian
commented

Both methods of Drupal\jsonapi\Controller\FileUpload are affected too :(

The last submitted patch, 2: 3096267-2-do-not-commit.patch, failed testing. View results

gabesullice’s picture

gabesullice
Primary language English
commented

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

br0ken’s picture

br0ken
Primary language Ukrainian
commented
Title: Validation constraint violations are getting removed for PATCH requests having aliased fields » Add tests to cover SA-CORE-2020-006
Version: 8.9.x-dev » 9.0.x-dev
Category: Bug report » Support request
Priority: Major » Normal
Issue summary: View changes
Status: Needs review » Needs work
br0ken’s picture

br0ken
Primary language Ukrainian
commented
Assigned: br0ken » Unassigned
Status: Needs work » Needs review
StatusFileSize
new 3096267-8.patch7.17 KB

Version: 9.0.x-dev » 9.1.x-dev

Drupal 9.0.10 was released on December 3, 2020 and is the final full bugfix release for the Drupal 9.0.x series. Drupal 9.0.x will not receive any further development aside from security fixes. Sites should update to Drupal 9.1.0 to continue receiving regular bugfixes.

Drupal-9-only bug reports should be targeted for the 9.1.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.2.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.1.x-dev » 9.3.x-dev

Drupal 9.1.10 (June 4, 2021) and Drupal 9.2.10 (November 24, 2021) were the last bugfix releases of those minor version series. Drupal 9 bug reports should be targeted for the 9.3.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
smustgrave’s picture

smustgrave commented
Category: Support request » Bug report
Status: Needs review » Needs work
Issue tags: +Needs Review Queue Initiative, +Needs issue summary update

Probably could use an issue summary update. Also should be in an MR.

mrinalini9 made their first commit to this issue’s fork.

mrinalini9 opened merge request !9709

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.