If the f GET parameter is nested more then one level, notices are thrown. This was observed when bots where trying to find weaknesses on our live environment. A lot of notices :-)
Append the following string to a path where facets are active
?f[0][1]
In the file facets/src/Plugin/facets/url_processor/QueryString.php in the function initializeActiveFilters a check should be added to make sure the f parameter is not nested more then one level otherwise the explode function and further will throw notices.
@@ -228,6 +228,11 @@ protected function initializeActiveFilters() {
// Explode the active params on the separator.
foreach ($active_params as $param) {
+ //make sure $param is a string
+ if (!is_string($param)) {
+ continue;
+ }
+
$explosion = explode($this->getSeparator(), $param);
$url_alias = array_shift($explosion);
$facet_id = $this->getFacetIdByUrlAlias($url_alias, $facet_source_id);
This was tested on 8.x-1.8.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | facets-3202268-3.patch | 729 bytes | gertlor |
Comments
Comment #2
paulvb commentedComment #3
gertlor commentedHere is a patch with the proposed solution
Comment #4
borisson_It makes sense for us to do this. Tagging for the 2.x version.
Comment #6
borisson_Committed to 2.x and 3.x, thanks!