Patched to Drupal 8.4.8 level. See https://www.drupal.org/sa-core-2018-004 and patch...

[yaffs-website] / web / core / modules / file / src / Element / ManagedFile.php

diff --git a/web/core/modules/file/src/Element/ManagedFile.php b/web/core/modules/file/src/Element/ManagedFile.php
index ca4e887a1b3fd193006cd2eb657a8fceacf18f8f..6f01ee552e979a3539b8e64acb8045c1d4ed5972 100644 (file)
--- a/web/core/modules/file/src/Element/ManagedFile.php
+++ b/web/core/modules/file/src/Element/ManagedFile.php
@@ -8,6 +8,7 @@ use Drupal\Component\Utility\NestedArray;
 use Drupal\Core\Ajax\AjaxResponse;
 use Drupal\Core\Ajax\ReplaceCommand;
 use Drupal\Core\Form\FormStateInterface;
+use Drupal\Core\Render\Element;
 use Drupal\Core\Render\Element\FormElement;
 use Drupal\Core\Site\Settings;
 use Drupal\Core\Url;
@@ -175,6 +176,9 @@ class ManagedFile extends FormElement {
 
     $form_parents = explode('/', $request->query->get('element_parents'));
 
+    // Sanitize form parents before using them.
+    $form_parents = array_filter($form_parents, [Element::class, 'child']);
+
     // Retrieve the element to be rendered.
     $form = NestedArray::getValue($form, $form_parents);