Download & Extend
Issues

Do not allow existing or reserved paths as aliases

Posted by JHeffner on February 21, 2007 at 7:55pm
Project:Drupal core
Version:8.x-dev
Component:path.module
Category:feature request
Priority:normal
Assigned:Unassigned
Status:active

Issue Summary

Certain paths should be reserved for paths in the file system such as includes, misc, modules, profiles, scripts, sites, and themes. When you try and add one of these in 'url path settings' it will allow the entry and redirect to the 404 page not found; if clean urls are allowed.

I'm not sure what the correct handling of these urls should be.

I'm re-submitting this to Core. I accidentally posted this under the old path module at http://drupal.org/node/118769

Login or register to post comments

Comments

#1

Posted by jp.stacey on July 31, 2008 at 12:56pm
Category:bug report» feature request

I'm not sure precisely what feature you're after from the first paragraph - do you want it to be impossible to set those paths, or do you want path.module to set them aside somehow (to define them seperately beforehand)?

Regardless, the standard Apache mod_rewrite config prevents Drupal from intercepting requests to existing files. Apache checks to see if a system file or directory exists: if it does, Drupal never gets a look-in.

I'm changing this to feature request as I don't see any buggy behaviour here: if you set a path to an existing file, the existing file is still served up by the webserver, isn't it?

#2

Posted by JHeffner on August 26, 2008 at 6:53pm

Yes, I'd consider it a feature request at this point. It would be nice if path.module wouldn't allow a user to use a url of a known "reserved" path used by the product.

#3

Posted by Robin Monks on August 26, 2008 at 7:13pm

Just to make it clear, this is reserved as in, "won't work due to how apache handles rewrites" and not reserved as in "a core system URL" like admin, feed, etc. The first one I think would be a great addition, since I have run into that problem once before myself. The second wouldn't not be a good idea, since I have often needed to replace core URLs with my own pages as needed.

So, it's a +/-1 :)

Robin

#4

Posted by JHeffner on August 27, 2008 at 6:19pm

@Robin, right.. I had to use the second method several places as well.

#5

Posted by Dave Reid on July 8, 2009 at 2:46am
Title:Reserved paths with clean urls» Do not allow aliases to be created for existing or reserved paths
Version:5.1» 7.x-dev

Bumping to 7.x for a feature request. Also marking #366275: 403 on alias 'sites' as a duplicate of this issue.

#6

Posted by Dave Reid on July 8, 2009 at 2:47am
Title:Do not allow aliases to be created for existing or reserved paths» Do not allow existing or reserved paths as aliases

#7

Posted by Dave Reid on January 10, 2010 at 12:18am
Version:7.x-dev» 8.x-dev

Bumping to D8 since its too late for D7.

#8

Posted by scor on August 5, 2010 at 6:12pm

subscribing. #22336: Move all core Drupal files under a /core folder to improve usability and upgrades should help with making Drupal's path less likely to be used as URL aliases.

#9

Posted by a6hiji7 on August 26, 2010 at 12:57pm

This issue is also there in D6. Will be nice if a solution is provided. I have run into this issue while creating a French site. There is a page titled "Thèmes" which is the French word for "Issues". The path for the page became "themes" which conflicts with the Drupal themes directory name and I am getting a "403 Forbidden error". Since clients want the path to remain the same (as we are migrating their old site keeping the paths same) it has become a big problem for me.

#10

Posted by Dave Reid on February 21, 2011 at 11:27pm

Merging in the following issues as duplicates:
#803382: Manually entered path can override another Drupal internal path
#1018960: Add hook_path_validate() API
#757732: Overriding Drupal paths

Not really part of the original issue but goes straight along with it is we want to limit the ability for users with just the 'create url aliases' permission to make URL alises for system paths like 'node', 'user', or 'admin'.

#11

Posted by bfroehle on March 28, 2011 at 8:50pm

I've drafted up a D7 module Path restrict which essentially uses a method equivalent to hook_admin_paths() to determine if a URL alias should be allowed.

Edit: Created a sandbox project on Drupal for the code (instead of the GitHub repository that was previously linked).

#12

Posted by Robin Monks on February 22, 2011 at 11:48am

We still want to make sure we can get this into D8 core as well.

#13

Posted by betamos on June 1, 2011 at 1:54pm

I was really surprised when I discovered this issue. Isn't this a big security implication? The only required permission to mess up a Drupal site big time is "Create and edit URL aliases" (which are often given to simple content editors etc).

Then it's just to start hijacking critical core paths like "admin/config", "user/login" with e.g. a link to a malicious site.

I don't know what would be the ideal solution but perhaps protecting existing system paths, router items (like "node/%") and the files directory. Btw, isn't it weird that aliases are prioritized higher than system paths when a page request is made?

#14

Posted by Dave Reid on June 14, 2011 at 11:29pm

Marked #1020412: Detect files on file system when preventing name collisions as a duplicate of this issue.

nobody click here