Commit d433aecf authored by alexpott's avatar alexpott

Issue #2508735 by darol100, dawehner, pwolanin, Chi, Fabianx, tim.plunkett:...

Issue #2508735 by darol100, dawehner, pwolanin, Chi, Fabianx, tim.plunkett: Code injection via preg_replace()
parent 0534e4cd
......@@ -265,14 +265,9 @@ public function getMachineNameSuggestion() {
// \Drupal\system\MachineNameController::transliterate(), so it might make
// sense to provide a common service for the two.
$transliterated = $this->transliteration()->transliterate($admin_label, LanguageInterface::LANGCODE_DEFAULT, '_');
$replace_pattern = '[^a-z0-9_.]+';
$transliterated = Unicode::strtolower($transliterated);
if (isset($replace_pattern)) {
$transliterated = preg_replace('@' . $replace_pattern . '@', '', $transliterated);
}
$transliterated = preg_replace('@[^a-z0-9_.]+@', '', $transliterated);
return $transliterated;
}
......
......@@ -43,7 +43,7 @@ public function processInbound($path, Request $request) {
}
// Strip out path prefix.
$rest = preg_replace('|^' . $path_prefix . '|', '', $path);
$rest = preg_replace('|^' . preg_quote($path_prefix, '|') . '|', '', $path);
// Get the image style, scheme and path.
if (substr_count($rest, '/') >= 2) {
......
......@@ -67,7 +67,7 @@ public function transliterate(Request $request) {
$transliterated = Unicode::strtolower($transliterated);
}
if(isset($replace_pattern) && isset($replace)) {
$transliterated = preg_replace('@' . $replace_pattern . '@', $replace, $transliterated);
$transliterated = preg_replace('@' . preg_quote($replace_pattern, '@') . '@', $replace, $transliterated);
}
return new JsonResponse($transliterated);
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment