Verified Commit e835d8dc authored by Jess's avatar Jess
Browse files

SA-CORE-2025-007 by kevinquillen, larowlan, poker10, drumm, mingsong, xjm,... 

SA-CORE-2025-007 by kevinquillen, larowlan, poker10, drumm, mingsong, xjm, mcdruid, benjifisher, ram4nd, drumm, greggles
parent 783419d4

core/lib/Drupal/Core/EventSubscriber/RenderArrayNonHtmlSubscriber.php

+1 −1
Original line number Diff line number Diff line
@@ -27,7 +27,7 @@ public function onRespond(ViewEvent $event) { 
    // not HTML though, we can also assume that the requested format is invalid

    // so we provide a 406 response.

    if (is_array($result) && $request->getRequestFormat() !== 'html') {

      throw new NotAcceptableHttpException('Not acceptable format: ' . $request->getRequestFormat());

      throw new NotAcceptableHttpException('A route that returns a rendered array as its response only supports the HTML format.');

    }

  }

core/lib/Drupal/Core/Routing/RequestFormatRouteFilter.php

+1 −1
Original line number Diff line number Diff line
@@ -62,7 +62,7 @@ public function filter(RouteCollection $collection, Request $request) { 
    // \Symfony\Component\Routing\Exception\ResourceNotFoundException here

    // because we don't want to return a 404 status code, but rather a 406.

    $available_formats = static::getAvailableFormats($collection);

    $not_acceptable = new NotAcceptableHttpException("No route found for the specified format $format. Supported formats: " . implode(', ', $available_formats) . '.');

    $not_acceptable = new NotAcceptableHttpException("No route found for the specified format. Supported formats: " . implode(', ', $available_formats) . '.');

    if ($available_formats) {

      $links = [];

      foreach ($available_formats as $available_format) {

core/modules/user/src/Controller/UserAuthenticationController.php

+1 −1
Original line number Diff line number Diff line
@@ -374,7 +374,7 @@ public function loginStatus() { 
  protected function getRequestFormat(Request $request) {

    $format = $request->getRequestFormat();

    if (!in_array($format, $this->serializerFormats)) {

      throw new BadRequestHttpException("Unrecognized format: $format.");

      throw new BadRequestHttpException("Unrecognized format.");

    }

    return $format;

  }

core/tests/Drupal/KernelTests/Core/Routing/ExceptionHandlingTest.php

+1 −2
Original line number Diff line number Diff line
@@ -218,8 +218,7 @@ public function testExceptionEscaping(): void { 
    // final exception subscriber, it is printed as partial HTML, and hence

    // escaped.

    $this->assertEquals('text/plain; charset=utf-8', $response->headers->get('Content-type'));

    // cspell:ignore jsonalert

    $this->assertStringStartsWith('Not acceptable format: jsonalert(123);', $response->getContent());

    $this->assertEquals('A route that returns a rendered array as its response only supports the HTML format.', $response->getContent());

  }



}

core/tests/Drupal/Tests/Core/Routing/RequestFormatRouteFilterTest.php

+2 −2
Original line number Diff line number Diff line
@@ -90,7 +90,7 @@ public function testNoRouteFound(): void { 
    $request->setRequestFormat('xml');

    $route_filter = new RequestFormatRouteFilter();

    $this->expectException(NotAcceptableHttpException::class);

    $this->expectExceptionMessage('No route found for the specified format xml.');

    $this->expectExceptionMessage('No route found for the specified format.');

    $route_filter->filter($collection, $request);

  }
@@ -101,7 +101,7 @@ public function testNoRouteFound(): void { 
   */

  public function testNoRouteFoundWhenNoRequestFormatAndSingleRouteWithMultipleFormats(): void {

    $this->expectException(NotAcceptableHttpException::class);

    $this->expectExceptionMessage('No route found for the specified format html.');

    $this->expectExceptionMessage('No route found for the specified format.');



    $url = $this->prophesize(GeneratedUrl::class);

    $url_assembler = $this->prophesize(UnroutedUrlAssemblerInterface::class);