Possible RCE in \views_handler_field_links::get_links

This issue was discussed by the Drupal Security Team, and their decision was that this can be solved in a public issue.

Problem/Motivation

Original report by @alexpott

This module has a potential RCE vulnerability. I've managed to inject #post_render into a render array. This means if a view is somehow part of a form its render array cached as part of it then a path similar to the file/ajax path could be used to run code.

[D7]
This is not an actual RCE vulnerability in Drupal7. drupal_parse_url() output never ends up in render().

Steps to reproduce

The set up is quite obtuse.

1. You need a view leveraging something that extends \views_handler_field_links. For example, \views_handler_field_ctools_dropdown.
2. Have something like a node that allows users to enter links that are listed as part of the ctools dropdown button. You can achieve this by having a link field. You need to make views turn this into a link using the user input.
3. Then a user can enter urls like http://example.com?test%5B%23post_render%5D=ls

I've not yet managed the next step of getting this into a cached form.

The problem comes from passing user input to drupal_parse_url() and using the resulting array in a render array.

Remaining tasks

Try to replicate this in D11.