TFA redirects to 404 if ?destination includes query parameters [#2687021]

Problem/Motivation

TFA does not process the destination parameter correctly when it contains query parameters.

The Zendesk module, when doing SSO with Zendesk, involves a redirect to:

user?destination=services/zendesk%3Fbrand_id%3D123456%26locale_id%3D1%26return_to%3Dhttps%253A//example.zendesk.com/agent/tickets/123

When the TFA process intervenes, and the user enters the correct code, it generates a redirect to:

services/zendesk%3Fbrand_id%3D123456%26locale_id%3D1%26return_to%3Dhttps%253A//example.zendesk.com/agent/tickets/123

That results in a 404 error, of course, because the query parameters are erroneously URL-encoded.

Proposed resolution

Fix _tfa_form_get_destination() to separate the query from the path in ?destination - in other words, make it behave a bit more like drupal_goto() in its processing of ?destination.

Comment	File	Size	Author
#17	tfa-2687021-17.patch	2.32 KB	jcnventura
#17	7.x-2.x: PHP 5.3 & MySQL 5.5, D7 11 pass
#17	interdiff_11_17.txt	2.34 KB	jcnventura
#11	tfa-2687021-11.patch	2.71 KB	petar.kolicov
#11	7.x-2.x: PHP 5.3 & MySQL 5.5, D7 11 pass
#10	tfa-2687021-10.patch	2.65 KB	petar.kolicov
#10	7.x-2.x: PHP 5.3 & MySQL 5.5, D7 11 pass, 1 fail
#2	tfa-2687021-2.patch	2.62 KB	pjcdawkins
#2	7.x-2.x: PHP 5.3 & MySQL 5.5, D7 11 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

14 March 2016 at 13:28

pjcdawkins created an issue. See original summary.

Comment #2

pjcdawkins CreditAttribution: pjcdawkins commented 14 March 2016 at 13:31

Status:

Active

» Needs review

File	Size
tfa-2687021-2.patch	2.62 KB
7.x-2.x: PHP 5.3 & MySQL 5.5, D7 11 pass

This patch

adds checking and parsing of the '?destination', similar to drupal_goto()
renames the local variable $destination to $path to avoid confusion.
removes a call to drupal_get_query_parameters() because it wasn't doing anything helpful.
removes an array_merge() which seemed intended to (always) pass along the entire current query to the redirect, which seemed wrong

Comment #3

pjcdawkins CreditAttribution: pjcdawkins commented 14 March 2016 at 13:34

Issue summary:

View changes

Comment #4

drumm

he/him

NY, US

CreditAttribution: drumm at Drupal Association commented 15 September 2016 at 12:37

Issue tags:

+affects drupal.org

Looks like something similar happens with a #fragment: #2800461: login (with two factor authentication) results in a "404 - Page not found" mesage

Comment #5

frederickjh

he/him

English

The Big Island of Hawai'i

CreditAttribution: frederickjh commented 18 September 2016 at 21:17

Related Issue

Comment #6

pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commented 15 September 2016 at 13:04

Assigned:

pjcdawkins

» Unassigned

FWIW, we've used this patch in production for 6 months.

Comment #7

frederickjh

he/him

English

The Big Island of Hawai'i

CreditAttribution: frederickjh commented 18 September 2016 at 21:18

Hi pjcdawkins!

Thanks for that information about the patch that fixes this.

drumm is unwilling to patch this module on drupal.org before the patch is commited to this module. I am guessing before you do this the security team will not review the updated version of the module nor the patch.

I can understand drumm's point of view. If you think that this patch fixes this issue in the correct manner then I would urge you to commit it and release a new version of the TFA module so that the security team can review it and allow the drupal.org webmasters to update and fix the issue there.

Thanks for your help and understanding in this matter!
Frederick

Comment #8

pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commented 17 September 2016 at 13:53

Hi Frederick, there's some misunderstanding here. I am not a TFA module maintainer; I don't have the authority nor the permission to commit my patch.

Comment #9

frederickjh

he/him

English

The Big Island of Hawai'i

CreditAttribution: frederickjh commented 18 September 2016 at 21:16

My apologies @pjcdawkins! I should have check that and not assumed you were a maintainer. Thanks for the patch and the update on how it is working.

I previous comments then about committing a patch for this issue and pushing a new release should be redirected to the module maintainers.

Comment #10

petar.kolicov CreditAttribution: petar.kolicov commented 14 March 2017 at 11:12

File	Size
tfa-2687021-10.patch	2.65 KB
7.x-2.x: PHP 5.3 & MySQL 5.5, D7 11 pass, 1 fail

Hi @pjcdawkins,

When FTA is enable and user try to reset password, TFA redirect is not working correct because $options['query'] = $destination['query']; overwrites 'pass-reset-token' in query. I add one change to your patch ($options['query'] = array_merge($options['query'], $destination['query'])).

Comment #11

petar.kolicov CreditAttribution: petar.kolicov commented 14 March 2017 at 13:35

File	Size
tfa-2687021-11.patch	2.71 KB
7.x-2.x: PHP 5.3 & MySQL 5.5, D7 11 pass

Sorry, I found one mistake in my code.

Comment #12

14 March 2017 at 21:02

The last submitted patch, 10: tfa-2687021-10.patch, failed testing.

Comment #13

frederickjh

he/him

English

The Big Island of Hawai'i

CreditAttribution: frederickjh commented 22 March 2017 at 07:19

Priority:

Normal

» Major

Hi!
I am changing this issue to major as it affects all users on drupal.org that use two-factor authentication. In the related issue drumm, one of the web admins for drupal.org says that until this code in commit and released so that the security team reviews it he is unwilling to patch drupal.org. I think that this constitutes being a major bug by the fact that it reflects badly on the drupal community and that it affects users willing to improve the security of their drupal.org account by enabling two-factor authentication.

Comment #14

pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commented 7 March 2018 at 09:08

Status:

Needs review

» Reviewed & tested by the community

@petar.kolicov's modification to my earlier patch is a good one.

Setting patch #11 RTBC.

Comment #15

DamienMcKenna

NH, USA

CreditAttribution: DamienMcKenna at Mediacurrent commented 16 June 2019 at 18:46

Parent issue:

» #3062117: Plan for TFA 7.x-2.1

Comment #16

DamienMcKenna

NH, USA

CreditAttribution: DamienMcKenna at Mediacurrent commented 16 June 2019 at 18:50

Parent issue:

#3062117: Plan for TFA 7.x-2.1

» #2241821: Plan for TFA 7.x-2.2 release

Comment #17

jcnventura CreditAttribution: jcnventura at 1xINTERNET commented 22 August 2020 at 14:37

File	Size
interdiff_11_17.txt	2.34 KB
tfa-2687021-17.patch	2.32 KB
7.x-2.x: PHP 5.3 & MySQL 5.5, D7 11 pass

3 files were hidden/shown/deleted

File	Size
tfa-2687021-2.patch	2.62 KB
7.x-2.x: PHP 5.3 & MySQL 5.5, D7 11 pass
tfa-2687021-10.patch	2.65 KB
7.x-2.x: PHP 5.3 & MySQL 5.5, D7 11 pass, 1 fail
tfa-2687021-11.patch	2.71 KB
7.x-2.x: PHP 5.3 & MySQL 5.5, D7 11 pass

I've undone the $destination -> $path rename as it made it a bit harder to review the patch, and it changed a lot of code in places that really didn't need to be changed.

Comment #18

22 August 2020 at 15:19

jcnventura authored 3554d4a on 7.x-2.x

Issue #2687021 by petar.kolicov, jcnventura, pjcdawkins: TFA redirects...

Comment #19

jcnventura CreditAttribution: jcnventura at 1xINTERNET commented 22 August 2020 at 15:19

Status:

Reviewed & tested by the community

» Fixed

Comment #20

5 September 2020 at 15:24

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

TFA redirects to 404 if ?destination includes query parameters

Problem/Motivation

Proposed resolution

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Comment #13

Comment #14

Comment #15

Comment #16

Comment #17

Comment #18

Comment #19

Comment #20

Parent issue

Related issues

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community