Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
That's not good. I will have a patch made for D6 as well.
Comment | File | Size | Author |
---|---|---|---|
#50 | drupal-171267-50.patch | 690 bytes | dcam |
#47 | drupal-171267-47.patch | 690 bytes | dcam |
#42 | drupal-171267-42.patch | 4.98 KB | dcam |
#38 | drupal-171267-38-tests.patch | 4.61 KB | tim.plunkett |
#38 | drupal-171267-38-combined.patch | 4.96 KB | tim.plunkett |
Comments
Comment #1
kkaefer CreditAttribution: kkaefer commentedExplanation: If your
form action
is something likefoo?bar=baz
, the query parameters will be stripped when submitting that form.Comment #2
chx CreditAttribution: chx commentedYou must either specify a description or change something about this issue.
Comment #3
Dries CreditAttribution: Dries commentedHow does a base URL prevent encoding? Because of the handling in url()?
Comment #4
chx CreditAttribution: chx commentedYes. It becomes an absolute URL and external URLs are returned early, before
Comment #5
Dries CreditAttribution: Dries commentedOne important difference might be the fact that url() escape its parameters whereas request_uri() returns data that is potentially insecure (XSS). As you were recently investigating drupal_goto() you might be able to comment on that before we go ahead and commit this patch?
Comment #6
JirkaRybka CreditAttribution: JirkaRybka commentedJust cross-linking a related isuue (bug report on D6 install.php) - http://drupal.org/node/172262
Not sure if that one is caused by this entirely / partially / not at all (the patch above doesn't help), but still seems related.
Comment #7
JirkaRybka CreditAttribution: JirkaRybka commentedMy problem with Install (linked above) turned out to be completely unrelated, so you can ignore my commnets here.
Comment #8
drummSite in subdirectory, clean urls off, redirects add duplicate copies of the subdirectory.
Comment #9
jamix CreditAttribution: jamix commentedI've faced the same problem with Drupal 5 not keeping table's sort parameters upon form submit. I used the workaround below to fix this behavior; works beautifully.
Comment #10
TR CreditAttribution: TR commentedAccording to #2 this is apparently an issue in Drupal 6.x. I don't know whether it's still a problem in D7 or D8. Changing version because Drupal 5.x is no longer supported.
Comment #11
rszrama CreditAttribution: rszrama commentedThis issue still exists; just found it through a bug report in Commerce. I don't think this needs to be critical, so I'm just moving it to major since we didn't have the priority when this issue was first reported. I'm guessing this needs a re-roll...
Comment #12
dawehnerThis definitive needs simpletests, but sadly there are no extra tests for form redirection.
Here is another issue for it #1261842: Create test for form redirect
Comment #13
catchTagging.
Comment #14
NROTC_Webmaster CreditAttribution: NROTC_Webmaster commentedHere are the patches for D7 and D8.
Comment #16
tim.plunkettMerging in the tests from #1261842: Create test for form redirect.
Comment #20
tim.plunkettThis must be something to do with the base URL, I tried a couple tests locally (without a subdomain, unlike the bot) and they passed.
Something to look into tomorrow.
Comment #21
tim.plunkettLet's see some more info.
Comment #23
tim.plunkettDebug code didn't take into account the absolute => TRUE in assertURL.
Comment #25
tim.plunkettAh, so it's the subdirectories? Later I'll figure out how to install Drupal locally with subdirectories, for now here's this.
Comment #27
tim.plunkettIf you look at the debug messages for Drupal\system\Tests\Form\RedirectTest in that last patch, the base URL is
'http://drupaltestbot654-mysql/checkout'
, but the results of request_uri() are'/checkout/form-test/redirect?foo=bar'
, and checkout is duplicated.But is that really the expected result of request_uri()? I would have thought it would be
'/form-test/redirect?foo=bar'
Comment #28
tim.plunkettHm, wonder how this might work.
Comment #30
tim.plunkett#28: drupal-171267-28.patch queued for re-testing.
Comment #31
tim.plunkettHere's a more straightforward patch.
For D7, we'll have to use a copy of $_GET, and unset 'q' first.
Comment #32
chx CreditAttribution: chx commentedI can't RTBC this -- although I would normally. I would like to see what Crell says about the usage of request.
Comment #33
tim.plunkettWhile attempting a backport to D7, I realized that there was no need for any of the content type stuff in the setUp(), I must have just copy/pasted that.
This just removes those, no other changes.
In the D7 one I didn't even bother removing 'q' from $_GET first, since url() ignores it anyway.
Comment #34
Crell CreditAttribution: Crell commentedFor the D8 patch, this could only be a temporarily solution since:
1) request() is a temporary BC shiv that I hope we can remove.
2) drupal_goto() is going to have to change anyway, as you should now be using a RedirectResponse object.
Of course, we have some Drupal-specific logic in drupal_goto(), which I don't know that we can entirely eliminate. (destination= handling, etc.) That makes me wonder if we need a DrupalRedirectResponse object of some sort, (or probably a Drupal-namespaced RedirectResponse) that replicates the handling from drupal_goto(). GET query parameter persistence should be part of that, where appropriate, but I also worry about that class ending up with hard dependencies in it if we're not careful.
So, tentatively OK with this patch for now, on condition that we spin up a new issue to discuss how to eliminate drupal_goto() entirely in favor of something cleaner that would internalize the solution to this problem.
Comment #35
tim.plunkettI opened #1668866: Replace drupal_goto() with RedirectResponse.
Comment #36
chx CreditAttribution: chx commentedOK then temporarily let's get this major fixed :)
Comment #37
catchThanks for opening the follow-up. This looks great as an interim fix and something that should be more or less straightforward to backport. Committed/pushed to 8.x.
Comment #38
tim.plunkettThanks! Rerolled.
Comment #39
chx CreditAttribution: chx commentedYay! Didn't even take five years to get this superb complicated issue fixed.
Comment #40
andypost+1 to commit
Comment #41
David_Rothstein CreditAttribution: David_Rothstein commentedThis needs to use drupal_get_query_parameters(). Otherwise, visiting the form at, e.g.,
admin/config/system/site-information
will redirect you to a URL that looks likeadmin/config/system/site-information?q=admin/config/system/site-information
.That bug won't exist in Drupal 8, but I would think it should use drupal_get_query_parameters() there too anyway, for consistency with the rest of the codebase. Leaving at D7 for now, though.
Comment #42
dcam CreditAttribution: dcam commentedI got the same result as #41. When submitting the form at admin/config/system/site-information I was redirected to admin/config/system/site-information?q=admin/config/system/site-information. I'm attaching a patch that replaces $_GET with drupal_get_query_parameters(). It did seem to solve that particular issue.
Comment #43
tim.plunkettGood catch David.
It seems that in D8, drupal_get_query_parameters() hasn't been updated to use the kernel, and I'd be just as happy to leave it as is there.
This is RTBC for D7.
Comment #44
webchickGoing to kick back to David since he seems to understand this code better than I do. :)
Comment #45
David_Rothstein CreditAttribution: David_Rothstein commentedCommitted to 7.x - thanks! http://drupalcode.org/project/drupal.git/commit/50fce51
Moving to Drupal 6 for backport.
Comment #46
rszrama CreditAttribution: rszrama commentedWoohoo! Happy day. : )
Comment #47
dcam CreditAttribution: dcam commentedThis is a reroll of #2 for D6.
Comment #49
rszrama CreditAttribution: rszrama commentedShould be request_uri() not request_url(), but shouldn't it also backport your tests?
Comment #50
dcam CreditAttribution: dcam commentedThanks for catching the request_uri() problem.
As for the tests, I'll admit I'm still a core newb and this is my first 6.x patch, but I thought tests don't get backported because simpletest isn't in core. If I'm mistaken then someone please correct me.
Comment #51
dcam CreditAttribution: dcam commentedComment #52
xjmThanks @dcam! You're correct about the tests. Since this is now a D6 patch, it needs to be tested by hand.
Comment #53
David_Rothstein CreditAttribution: David_Rothstein commentedBe careful backporting this to Drupal 6 - it looks like it probably caused some issues: #1836082: Drupal 7.17 breaks some form redirects (including views exposed filters)