There is no validation of encoding on any of the configuration object types, which throws unhandled exception.
Problem/Motivation
Configuration system handles look up of objects defined in Drupal.
Objects are stored in "config" database table, with object stored in "name" field (eg node.type.article, views.view.articles, user.role.anonymous, etc)
- "name" field is defined as "varchar_ascii" in Drupal, and varchar(255) with collation ascii_general_ci in Database
- "name" is used to look up routes, node types, view names, user roles, etc etc
To resolve URL "node/add/article" route is matched to node/add/{node_type}
readMultiple() is called in core/lib/Drupal/Core/Config/DatabaseStorage.php to check configuration object {node_type} exists
There is no validation of encoding on any of the configuration object types, which throws unhandled exception:
The website encountered an unexpected error. Try again later.
Drupal\Core\Database\DatabaseExceptionWrapper: SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (ascii_general_ci,IMPLICIT) and (utf8mb4_general_ci,COERCIBLE) for operation '=': SELECT "name", "data" FROM "config" WHERE "collection" = :collection AND "name" IN ( :names__0 ); Array ( [:collection] => [:names__0] => node.type.хакер ) in Drupal\Core\Config\DatabaseStorage->readMultiple() (line 110 of core/lib/Drupal/Core/Config/DatabaseStorage.php).
This leads to unnecessary hits of database which can lead to server outage.
The error message is not handled and white screen of death is displayed.
This issue affects all routes of configuration objects, example:
- /node/add/öüä
- /media/add/öüä
- /admin/structure/views/view/öüä
Steps to reproduce
Navigate to a route and insert non-ASCII values into URL:
- /node/add/тест
- /media/add/тест
- /admin/structure/views/view/тест
- /views/ajax?view_name=view_тест&view_display_id=page_1&_drupal_ajax=1
Proposed resolution
add validation before running SQL query
Remaining tasks
- Create a failing Functional test that passes with the latest MR applied otherwise.
User interface changes
If trying to add a new config entity with an invalid name, the invalid name will be validated and an InvalidArgumentException will be triggered. The Exception will print a simple explanatory message to the screen.
Introduced terminology
- none
API changes
- none
Data model changes
- none
Release notes snippet
- Added validation before looking up configuration objects (Unhandled exception when looking up a configuration objects by name which contains non-ASCII characters)
Note: There are a lot of configuration fields which are collated to ascii_general_ci but mostly don't have any validation before a non ASCII-values is being queried or inserted which throws an unhandled exception.