From 3ddc2e03f2262780889531cc49aa40e4b3929a3c Mon Sep 17 00:00:00 2001
From: catch <catch@35733.no-reply.drupal.org>
Date: Mon, 14 Feb 2022 13:39:53 +0000
Subject: [PATCH] Issue #3264050 by neclimdul, andypost: Fuzzed tag values to
EntityAutocompleteController::handleAutocomplete can cause deprecation
warning
---
.../EntityAutocompleteController.php | 38 ++++++++++---------
.../Core/Entity/EntityAutocompleteTest.php | 4 ++
2 files changed, 24 insertions(+), 18 deletions(-)
diff --git a/core/modules/system/src/Controller/EntityAutocompleteController.php b/core/modules/system/src/Controller/EntityAutocompleteController.php
index 1bffd291a477..863c7535d685 100644
--- a/core/modules/system/src/Controller/EntityAutocompleteController.php
+++ b/core/modules/system/src/Controller/EntityAutocompleteController.php
@@ -79,27 +79,29 @@ public function handleAutocomplete(Request $request, $target_type, $selection_ha
$matches = [];
// Get the typed string from the URL, if it exists.
if ($input = $request->query->get('q')) {
- $typed_string = Tags::explode($input);
- $typed_string = mb_strtolower(array_pop($typed_string));
+ $tag_list = Tags::explode($input);
+ if (!empty($tag_list)) {
+ $typed_string = mb_strtolower(array_pop($tag_list));
- // Selection settings are passed in as a hashed key of a serialized array
- // stored in the key/value store.
- $selection_settings = $this->keyValue->get($selection_settings_key, FALSE);
- if ($selection_settings !== FALSE) {
- $selection_settings_hash = Crypt::hmacBase64(serialize($selection_settings) . $target_type . $selection_handler, Settings::getHashSalt());
- if (!hash_equals($selection_settings_hash, $selection_settings_key)) {
- // Disallow access when the selection settings hash does not match the
- // passed-in key.
- throw new AccessDeniedHttpException('Invalid selection settings key.');
+ // Selection settings are passed in as a hashed key of a serialized array
+ // stored in the key/value store.
+ $selection_settings = $this->keyValue->get($selection_settings_key, FALSE);
+ if ($selection_settings !== FALSE) {
+ $selection_settings_hash = Crypt::hmacBase64(serialize($selection_settings) . $target_type . $selection_handler, Settings::getHashSalt());
+ if (!hash_equals($selection_settings_hash, $selection_settings_key)) {
+ // Disallow access when the selection settings hash does not match the
+ // passed-in key.
+ throw new AccessDeniedHttpException('Invalid selection settings key.');
+ }
+ }
+ else {
+ // Disallow access when the selection settings key is not found in the
+ // key/value store.
+ throw new AccessDeniedHttpException();
}
- }
- else {
- // Disallow access when the selection settings key is not found in the
- // key/value store.
- throw new AccessDeniedHttpException();
- }
- $matches = $this->matcher->getMatches($target_type, $selection_handler, $selection_settings, $typed_string);
+ $matches = $this->matcher->getMatches($target_type, $selection_handler, $selection_settings, $typed_string);
+ }
}
return new JsonResponse($matches);
diff --git a/core/tests/Drupal/KernelTests/Core/Entity/EntityAutocompleteTest.php b/core/tests/Drupal/KernelTests/Core/Entity/EntityAutocompleteTest.php
index 1b0bd8974a5d..e6cb4de3ae63 100644
--- a/core/tests/Drupal/KernelTests/Core/Entity/EntityAutocompleteTest.php
+++ b/core/tests/Drupal/KernelTests/Core/Entity/EntityAutocompleteTest.php
@@ -88,6 +88,10 @@ public function testEntityReferenceAutocompletion() {
'label' => Html::escape($entity_3->name->value),
];
$this->assertSame($target, reset($data), 'Autocomplete returns an entity label containing a comma and a slash.');
+
+ $input = '"l!J>&Tw';
+ $data = $this->getAutocompleteResult($input);
+ $this->assertSame([], $data, 'Autocomplete of invalid string returns empty result');
}
/**
--
GitLab