Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
The comments reply section of the core when accessed directly from URL as https://websitename.org/index.php/comment/reply/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enet%3C/scRipt%3E
throws error of plugin not found. This URL is hit via our web vulnerability scanner, which performs various url checks from security stand point. It seems like the comments reply function has not escaped the special characters.
Error thrown:
Drupal\Component\Plugin\Exception\PluginNotFoundException: The "'"--><" entity type does not exist. in Drupal\Core\Entity\EntityTypeManager->getDefinition() (line 150 of core/lib/Drupal/Core/Entity/EntityTypeManager.php).
Drupal\Core\ParamConverter\AdminPathConfigEntityConverter->convert() (Line: 100)
Drupal\Core\ParamConverter\ParamConverterManager->convert() (Line: 45)
Drupal\Core\Routing\Enhancer\ParamConversionEnhancer->enhance() (Line: 260)
Drupal\Core\Routing\Router->applyRouteEnhancers() (Line: 131)
Drupal\Core\Routing\Router->matchRequest() (Line: 92)
Drupal\Core\Routing\AccessAwareRouter->matchRequest() (Line: 113)
Symfony\Component\HttpKernel\EventListener\RouterListener->onKernelRequest()
call_user_func() (Line: 111)
Drupal\Component\EventDispatcher\ContainerAwareEventDispatcher->dispatch() (Line: 127)
Symfony\Component\HttpKernel\HttpKernel->handleRaw() (Line: 68)
Symfony\Component\HttpKernel\HttpKernel->handle() (Line: 57)
Drupal\Core\StackMiddleware\Session->handle() (Line: 47)
Drupal\Core\StackMiddleware\KernelPreHandle->handle() (Line: 191)
Drupal\page_cache\StackMiddleware\PageCache->fetch() (Line: 128)
Drupal\page_cache\StackMiddleware\PageCache->lookup() (Line: 82)
Drupal\page_cache\StackMiddleware\PageCache->handle() (Line: 91)
Drupal\shield\ShieldMiddleware->handle() (Line: 47)
Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle() (Line: 52)
Drupal\Core\StackMiddleware\NegotiationMiddleware->handle() (Line: 23)
Stack\StackedHttpKernel->handle() (Line: 708)
Drupal\Core\DrupalKernel->handle() (Line: 19)
Steps to reproduce
Proposed resolution
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Comment | File | Size | Author |
---|---|---|---|
#3 | 3193771-pass.patch | 1.85 KB | larowlan |
#3 | 3193771-fail.patch | 973 bytes | larowlan |
Comments
Comment #2
larowlanComment #3
larowlanComment #5
quietone CreditAttribution: quietone as a volunteer commentedI applied the test patch and confirmed that the new test does generate the error message in the IS. Then I checked that convert can return a NULL, it can, see \Drupal\Core\ParamConverter\ParamConverterInterface::convert. The only thing I would change is the string used for the name of the entity type, 'yeah-this-is-not-an-entity-type', because it doesn't need to be that long. Simply, 'not-an-entity-type' would do. But it is not ambiguous.
Seems like a nice and tidy fix. Thanks.
Therefor RTBC.
Comment #6
larowlanI'm not wedded to
`yeah-this-is-not-an-entity-type`
- that came from my 'first, make it fun' rule :)But I realise it may not be fun enough, so happy to improve on that front.
c.f
\Drupal\error_service_test\MonkeysInTheControlRoom
Comment #9
catchErring on fun test URLs.
Committed/pushed to 9.2.x and cherry-picked to 9.1.x, thanks!
Comment #11
BerdirHa. This was actually a duplicate of #3103662: EntityConverter can fail with an exception when passing an invalid entity type that I reported.
This only fixed it for the default EntityConverter, there also 3 other converters that use getEntityTypeFromDefaults, I was about to reroll that other issue and put the logic there and was surprised that I couldn't reproduce it anymore ;)