Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 299191

Validate view_name in ajaxView()

$
0
0

Problem/Motivation

Similar to Validating String Encodings Before Insert, a malicious user tried to change an sql query by manipulating the url of an ajax call which resulted in the following error:

Drupal\Core\Database\DatabaseExceptionWrapper: SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (ascii_general_ci,IMPLICIT) and (utf8mb4_general_ci,COERCIBLE) for operation '=': SELECT "name", "data" FROM "config" WHERE "collection" = :collection AND "name" IN ( :names__0 ); Array
(
    [:collection] =>
    [:names__0] => views.view.awards鎈'"\(
)
 in Drupal\Core\Config\DatabaseStorage->readMultiple() (line 111 of /var/www/<site>/public/core/lib/Drupal/Core/Config/DatabaseStorage.php).

Steps to reproduce

To reproduce this, you can just hit this url: https:///views/ajax?view_name=awards鎈'"\(&view_display_id=page_1&_drupal_ajax=1
..and pass in some weird character with the view name (in this case the user passed in the view name 'awards' with some (chinese??) character and some other characters after it.

Proposed resolution

Validate the view_name inside ViewAjaxController::ajaxView() before Drupal tries to use it to load a config entity.


Viewing all articles
Browse latest Browse all 299191

Latest Images

Trending Articles



Latest Images

<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>