The patch cleans all parameters recursively. The example
Elin Y.

That’s correct, but the patch Drupal applied only looks for hash keys in the FIRST set of keys, i.e., $_GET = [‘#payload’ => {payload}];

$_GET = [‘page’ => [‘#payload’ => ‘home.php’]]; This payload would currently go through the Drupal patch without violating the new filtering conditions, therefore, it cannot match the expected exploit pattern for this attack.

Like what you read? Give Strong Links a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.