If you save a relative path for a redirect, anonymous users can be confronted with a white screen "The website encountered an unexpected error. Please try again later."

e.g. a redirect can be entered as node/438
but should be specified as the absolute path /node/438
Anonymous users will then be correctly redirected.

This is then consistent with the requirements of specifying all path aliases with a leading slash.

CommentFileSizeAuthor
#10 2922902-internal-page-redirect-validation-10.patch1.26 KBcolincalnan
#9 2922902-internal-page-redirect-validation-9.patch1.23 KBcolincalnan
#2 2922902-internal-page-redirect-validation.patch1.74 KBsandboxpl
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

garryh created an issue. See original summary.

sandboxpl’s picture

sandboxpl
Primary language Polish
Location Poland 🇵🇱
CreditAttribution: sandboxpl at Dropsolid commented
FileSize
2922902-internal-page-redirect-validation.patch1.74 KB

Users shouldn't be able to provide invalid URLs for internal page redirects,
validation fails in Drupal\Core\Url::fromUserInput() , when provided url doesn't start with "/" , "#" , or "?" character.

This should be fixed in UI, user input should be validated before saving it, I was able to add validation for rh page redirect, initial patch attached

Dylan Donkersgoed’s picture

Dylan Donkersgoed CreditAttribution: Dylan Donkersgoed as a volunteer commented

This patch looks complete and seems to work well, so I infer you just forgot to move this to "Needs Review". I've merged this in, thanks.

Dylan Donkersgoed’s picture

Dylan Donkersgoed CreditAttribution: Dylan Donkersgoed as a volunteer commented
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

anacolautti’s picture

anacolautti CreditAttribution: anacolautti commented

I have an issue with this. I'm trying to redirect the anonymous users to a file uploaded in the content using tokens. The tokens available are [node:field_file:entity:path] which starts with public/... and [node:field_file:entity:url] which is an absolute URL (and my choice).

If I try to use [node:field_file:entity:path] the validation doesn't let me save even though the token represents a full URL. It forces me to add a '/' and messes the URL up.

matt.mendonca’s picture

matt.mendonca CreditAttribution: matt.mendonca commented

We've also run into the same issue as #7, albeit with redirecting anonymous users to the file URL for media files. In order to get around it, I exported the config with the leading slash (so that the form would save), removed the slash in the config yaml, then reimported config (kind of hacky). Doing this stops the You are not allowed to specify an external URL together with internal:/ exception from being thrown. The downside, however, is this breaks the form.

colincalnan’s picture

colincalnan CreditAttribution: colincalnan commented
FileSize
2922902-internal-page-redirect-validation-9.patch1.23 KB

I also ran into the issue with #7, I'd like to work to come up with a more robust patch that validates the token but for now this small patch does a quick string check for the presence of the `:entity:url]` string in the token and skips the validation if that's the case.

There needs to be a case to the `:entity:path]` scenario which would then translate that scheme `public://` etc. into a valid URL.

colincalnan’s picture

colincalnan CreditAttribution: colincalnan commented
FileSize
2922902-internal-page-redirect-validation-10.patch1.26 KB

Turns out I had the same issue for Link fields, the `:uri]` token will not work with this patch, so I've added that also.

Again, this seems like it could do wit a bit of a re-think.