diff --git a/core/lib/Drupal/Component/Utility/UrlHelper.php b/core/lib/Drupal/Component/Utility/UrlHelper.php index 356aa4a4a77..14ae12a8e8b 100644 --- a/core/lib/Drupal/Component/Utility/UrlHelper.php +++ b/core/lib/Drupal/Component/Utility/UrlHelper.php @@ -99,16 +99,23 @@ class UrlHelper { * A string as compressed by * \Drupal\Component\Utility\UrlHelper::compressQueryParameter(). * - * @return string|bool - * The uncompressed data or FALSE on failure. + * @return string + * The uncompressed data, or the original string if it cannot be + * uncompressed. */ - public static function uncompressQueryParameter(string $compressed): string|bool { + public static function uncompressQueryParameter(string $compressed): string { if (!\extension_loaded('zlib')) { return $compressed; } // Because this comes from user data, suppress the PHP warning that // gzcompress() throws if the base64-encoded string is invalid. - return @gzuncompress(base64_decode(str_replace(['-', '_'], ['+', '/'], $compressed))); + $return = @gzuncompress(base64_decode(str_replace(['-', '_'], ['+', '/'], $compressed))); + + // If we failed to uncompress the query parameter, it may be a stale link + // from before compression was implemented with the URL parameter + // uncompressed already, or it may be an incorrectly formatted URL. + // In either case, pass back the original string to the caller. + return $return === FALSE ? $compressed : $return; } /** diff --git a/core/modules/system/src/Controller/AssetControllerBase.php b/core/modules/system/src/Controller/AssetControllerBase.php index 19c2eec6f10..0e25e72ab6f 100644 --- a/core/modules/system/src/Controller/AssetControllerBase.php +++ b/core/modules/system/src/Controller/AssetControllerBase.php @@ -160,19 +160,22 @@ abstract class AssetControllerBase extends FileDownloadController { $this->themeManager->setActiveTheme($active_theme); $attached_assets = new AttachedAssets(); - $include_string = UrlHelper::uncompressQueryParameter($request->query->get('include')); + $include_libraries = explode(',', UrlHelper::uncompressQueryParameter($request->query->get('include'))); - if (!$include_string) { - throw new BadRequestHttpException('The libraries to include are encoded incorrectly.'); - } - $attached_assets->setLibraries(explode(',', $include_string)); + $validate = function ($libraries_to_check) { + foreach ($libraries_to_check as $library) { + if (substr_count($library, '/') !== 1) { + throw new BadRequestHttpException('The libraries to include are encoded incorrectly.'); + } + } + }; + $validate($include_libraries); + $attached_assets->setLibraries($include_libraries); if ($request->query->has('exclude')) { - $exclude_string = UrlHelper::uncompressQueryParameter($request->query->get('exclude')); - if (!$exclude_string) { - throw new BadRequestHttpException('The libraries to exclude are encoded incorrectly.'); - } - $attached_assets->setAlreadyLoadedLibraries(explode(',', $exclude_string)); + $exclude_libraries = explode(',', UrlHelper::uncompressQueryParameter($request->query->get('exclude'))); + $validate($exclude_libraries); + $attached_assets->setAlreadyLoadedLibraries($exclude_libraries); } $groups = $this->getGroups($attached_assets, $request); diff --git a/core/tests/Drupal/Tests/Component/Utility/UrlHelperTest.php b/core/tests/Drupal/Tests/Component/Utility/UrlHelperTest.php index 5314eac580e..d7431155f80 100644 --- a/core/tests/Drupal/Tests/Component/Utility/UrlHelperTest.php +++ b/core/tests/Drupal/Tests/Component/Utility/UrlHelperTest.php @@ -129,8 +129,8 @@ class UrlHelperTest extends TestCase { */ public function testUncompressInvalidString() { // Pass an invalid string to ::uncompressQueryParameter() and ensure it - // doesn't result in a PHP warning. - $this->assertFalse(UrlHelper::uncompressQueryParameter('llama')); + // returns the passed string without resulting in a PHP warning. + $this->assertSame('llama', UrlHelper::uncompressQueryParameter('llama')); } /**