Problem/Motivation
Similar to Validating String Encodings Before Insert, a malicious user tried to change an sql query by manipulating the url of an ajax call which resulted in the following error:
Drupal\Core\Database\DatabaseExceptionWrapper: SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (ascii_general_ci,IMPLICIT) and (utf8mb4_general_ci,COERCIBLE) for operation '=': SELECT "name", "data" FROM "config" WHERE "collection" = :collection AND "name" IN ( :names__0 ); Array
(
[:collection] =>
[:names__0] => views.view.awards鎈'"\(
)
in Drupal\Core\Config\DatabaseStorage->readMultiple() (line 111 of /var/www/<site>/public/core/lib/Drupal/Core/Config/DatabaseStorage.php).
Steps to reproduce
To reproduce this, you can just hit this url: https:///views/ajax?view_name=awards鎈'"\(&view_display_id=page_1&_drupal_ajax=1
..and pass in some weird character with the view name (in this case the user passed in the view name 'awards' with some (chinese??) character and some other characters after it.
Proposed resolution
Validate the view_name inside ViewAjaxController::ajaxView() before Drupal tries to use it to load a config entity.