Commit 39d1e855 authored by alexpott's avatar alexpott

Issue #2822190 by webflo, Wim Leers, dawehner, alexpott, effulgentsia,...

Issue #2822190 by webflo, Wim Leers, dawehner, alexpott, effulgentsia, SchnWalter: PathValidator validates based on a RequestContext leaked from the current request, resulting in false negatives during CLI requests and POST submissions
parent d313bdda
......@@ -6,6 +6,7 @@
use Drupal\Core\ParamConverter\ParamNotConvertedException;
use Drupal\Core\PathProcessor\InboundPathProcessorInterface;
use Drupal\Core\Routing\AccessAwareRouterInterface;
use Drupal\Core\Routing\RequestContext;
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\Url;
use Symfony\Cmf\Component\Routing\RouteObjectInterface;
......@@ -152,23 +153,30 @@ protected function getPathAttributes($path, Request $request, $access_check) {
$router = $this->accessAwareRouter;
}
$initial_request_context = $router->getContext() ? $router->getContext() : new RequestContext();
$path = $this->pathProcessor->processInbound('/' . $path, $request);
try {
return $router->match($path);
$request_context = new RequestContext();
$request_context->fromRequest($request);
$router->setContext($request_context);
$result = $router->match($path);
}
catch (ResourceNotFoundException $e) {
return FALSE;
$result = FALSE;
}
catch (ParamNotConvertedException $e) {
return FALSE;
$result = FALSE;
}
catch (AccessDeniedHttpException $e) {
return FALSE;
$result = FALSE;
}
catch (MethodNotAllowedException $e) {
return FALSE;
$result = FALSE;
}
$router->setContext($initial_request_context);
return $result;
}
}
<?php
namespace Drupal\KernelTests\Core\Path;
use Drupal\Core\Routing\RequestContext;
use Drupal\Core\Url;
use Drupal\entity_test\Entity\EntityTest;
use Drupal\KernelTests\KernelTestBase;
/**
* Tests the path validator.
*
* @group Path
*
* @see \Drupal\Core\Path\PathValidator
*/
class PathValidatorTest extends KernelTestBase {
/**
* {@inheritdoc}
*/
public static $modules = ['path', 'entity_test', 'user'];
/**
* {@inheritdoc}
*/
protected function setUp() {
parent::setUp();
$this->installEntitySchema('entity_test');
}
public function testGetUrlIfValidWithoutAccessCheck() {
$requestContext = \Drupal::service('router.request_context');
$pathValidator = \Drupal::service('path.validator');
$entity = EntityTest::create([
'name' => 'test',
]);
$entity->save();
$methods = [
'POST',
'GET',
'PUT',
'PATCH',
'DELETE',
NULL, // Used in CLI context.
FALSE, // If no request was even pushed onto the request stack, and hence
];
foreach ($methods as $method) {
if ($method === FALSE) {
$request_stack = $this->container->get('request_stack');
while ($request_stack->getCurrentRequest()) {
$request_stack->pop();
}
$this->container->set('router.request_context', new RequestContext());
}
$requestContext->setMethod($method);
/** @var \Drupal\Core\Url $url */
$url = $pathValidator->getUrlIfValidWithoutAccessCheck($entity->toUrl()->toString(TRUE)->getGeneratedUrl());
$this->assertEquals($method, $requestContext->getMethod());
$this->assertInstanceOf(Url::class, $url);
$this->assertSame($url->getRouteParameters(), ['entity_test' => $entity->id()]);
}
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment