Disallow dangerous filenames e.g. command injection characters
Problem/MotivationFollowing discussion with the Drupal Security Team, it was agreed that this could be handled in a public "security improvements" issue.At present Drupal's file API allows filenames to...
View ArticleUnnecessary asset optimization for old aggregated URLs
Problem/MotivationAfter #3454507: Aggregated asset generation causes uncacheable assets we don't need to optimize assets when the hash from URL doesn't match.Steps to reproduceProposed...
View ArticleUse JS or PHP-masquerading-as-image to test .htaccess on admin/reports/status
@mlhess wrote on #2508666: Drupal 8 .htaccess rule to prevent php file access can be easily bypassed: Can we build in a status check for people who may not have htaccess setup correctly. Something that...
View ArticleAdd validation constraints to user.flood
Problem/MotivationThe User module's flood have 4 property paths that are not yet validatable:vendor/bin/drush config:inspect --filter-keys=user.flood --detail --list-constraints...
View ArticleAdd validation constraints to system.performance
Problem/Motivationsystem.performance has 4 property path that are not yet validatable:./vendor/bin/drush config:inspect --filter-keys=system.performance --detail --list-constraints ➜ 🤖 Analyzing…...
View ArticleCannot use <nolink> in link fields in default content
Problem/MotivationWhen using <nolink> as the destination URL on a link field that is imported using default content, the import fails with this error:The URI '<nolink>l;' is invalid. You...
View ArticleAdd a .htaccess and web.config entry to mitigate against SA-CORE-2018-005
Problem/MotivationSA-CORE-2018-005Proposed resolutionAdd a .htaccess and web.config mitigation.Remaining tasksPatch file needs review.User interface changesNoneAPI changesNoneData model changesNone
View Article[meta] Add constraints to all simple configuration
Problem/MotivationSibling issue for config entities: #2869792: [meta] Add constraints to all config entity types.Similar as we want to expose UPDATE functionality for config entities, (see #2869792:...
View ArticleAdd validation constraints to all system.* simple config (except system.rss)
Problem/MotivationPer #2952037: [meta] Add constraints to all simple configuration, the current state of validatable simple config in the System module...
View Article[PP-1] Enable dynamic queries to produce SQL with positional placeholders
Problem/MotivationDrupal's dynamic queries produce SQL with named placeholders. In #3259709: Create the database driver for MySQLi, since mysqli is NOT supporting named placeholders, we are introducing...
View ArticleTypeError: strlen(): Argument #1 ($string) must be of type string, array given
I am seeing an error with big pipe, call stack below.Error shows Drupal core 10.4.5 and 10.4.6. PHP 8.2. both on Linux (Ubuntu) and Windows systems. Error appears after an upgrade from a much older...
View ArticleConstraintManager::getDefinitionsByType does not validate definitions and can...
Problem/MotivationSpinning from #3513113: Drupal core's ConstraintManager has poor DX, leading to XB triggering Validation constraint "type" must be an array of typesThe definition has the key type...
View ArticleRemove Drupal.behaviors.fillUserInfoFromBrowser
Problem/MotivationPer #3498834: Dont use core's prepopulate function for core forms (Privacy) this violates GDPR, and it's also not secure on shared computers. In addition, modern web browsers have...
View ArticleNotice: Undefined index: empty in...
Problem/MotivationAs in title.Steps to reproduceCreate a view with no relationships on Master, add a display with a relationship (override Master), add a numeric filter using the relationship with...
View ArticleNone validator incorrectly handles numeric arguments
Problem/MotivationHi, Found undefined variable argument in core/modules/views/src/Plugin/views/argument_validator/None.php.Steps to reproduceProposed resolutionRestore test of numeric plugin.Remaining...
View ArticleAdd mogtofu33 as a maintainer of the new theme system's Icon API
Problem/MotivationA new API for Icon management has been added to Drupal 11.1: #3471494: Add an icon management API It allows modules and themes to define icon packs using the YAML plugin discovery...
View ArticleAdd protocol filtering to Attribute
Problem/MotivationXss::filter() automatically does HTML escaping and protocol filtering on attributes. Protocols are filtered on everything except title, alt and data-Attribute however, while it claims...
View ArticleAdd validation constraints to file.settings config
Problem/MotivationChild of #2952037: [meta] Add constraints to all simple configuration - let's add validation constraints the config schema of file.settings so that it can be fully...
View ArticleConfig validation and changing strings to support NULL values
Problem/MotivationIn recent config validation issues we've been changing some string values to support NULLs where the empty string does not make sense. For example, #3437325: Add validation...
View ArticleComponentValidator ignores the set validator and creates a new one
Problem/Motivation\Drupal\Core\Theme\Component\ComponentValidator has a method to setValidator This allows contrib modules to change how the component validator behaves, including things likeAdd their...
View Article