Problem/Motivation

A database error occurs when a malicious actor sets the token URL query parameter to a non-UTF8 value.
The \Drupal\access_unpublished\TokenGetter::setTokenFromRequest(0 sets the raw URL query parameter value for the token. This token value is then used to run a database query for the access_token entities in access_unpublished_entity_access. This can lead to database errors for non-UTF8 values.

Proposed resolution

Check if the request's token value is valid UTF-8.

CommentFileSizeAuthor
#2 access_unpublished-3333429-2.patch923 bytesrecrit

Issue fork access_unpublished-3333429

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

recrit created an issue. See original summary.

recrit’s picture

recrit commented
Status: Active » Needs review
StatusFileSize
new access_unpublished-3333429-2.patch923 bytes

the attached patch checks if the request query's value is UTF-8.

generalredneck’s picture

generalredneck
him/his
Primary language English
Location Texas, USA 🇺🇸
commented
Priority: Normal » Major
Issue tags: +Needs tests

This seems important. But needs tests.

mably made their first commit to this issue’s fork.

mably opened merge request !34

mably’s picture

mably commented
Issue tags: -Needs tests

Created a merge request with the accompanying kernel test.

  • generalredneck committed 8712e14e on 8.x-1.x authored by mably 
    Issue #3333429 by recrit, mably, generalredneck: Check the URL query...
generalredneck’s picture

generalredneck
him/his
Primary language English
Location Texas, USA 🇺🇸
commented
Status: Needs review » Fixed

this was merged into 1.x-dev

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.