diff --git a/core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php index a912629..2410e61 100644 --- a/core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php +++ b/core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php @@ -31,11 +31,11 @@ public function checkRedirectUrl(FilterResponseEvent $event) { $redirect_path = $response->getTargetUrl(); $destination = $event->getRequest()->query->get('destination'); - // A destination in $_GET always overrides the function arguments. + // A destination in $_GET always overrides the current RedirectResponse. // We do not allow absolute URLs to be passed via $_GET, as this can be an // attack vector, with the following exception: // - Absolute URLs that point to this site (i.e. same base URL and - // base path) are allowed.rget + // base path) are allowed. if ($destination && (!url_is_external($destination) || _external_url_is_local($destination))) { $destination = drupal_parse_url($destination); diff --git a/core/modules/overlay/lib/Drupal/overlay/EventSubscriber/OverlaySubscriber.php b/core/modules/overlay/lib/Drupal/overlay/EventSubscriber/OverlaySubscriber.php index b6c380e..4b938e8 100644 --- a/core/modules/overlay/lib/Drupal/overlay/EventSubscriber/OverlaySubscriber.php +++ b/core/modules/overlay/lib/Drupal/overlay/EventSubscriber/OverlaySubscriber.php @@ -134,6 +134,32 @@ public function onResponse(FilterResponseEvent $event) { } } } + $response = $event->getResponse(); + if ($response instanceOf RedirectResponse) { + $path = $response->getTargetUrl(); + // The authorize.php script bootstraps Drupal to a very low level, where + // the PHP code that is necessary to close the overlay properly will not + // be loaded. Therefore, if we are redirecting to authorize.php inside + // the overlay, instead redirect back to the current page with + // instructions to close the overlay there before redirecting to the + // final destination. + $options = array('absolute' => TRUE); + if ($path == system_authorized_get_url($options) || $path == system_authorized_batch_processing_url($options)) { + $_SESSION['overlay_close_dialog'] = array($path, $options); + $path = current_path(); + $options = drupal_get_query_parameters(); + } + + // If the current page request is inside the overlay, add ?render=overlay + // to the new path, so that it appears correctly inside the overlay. + if (isset($options['query'])) { + $options['query'] += array('render' => 'overlay'); + } + else { + $options['query'] = array('render' => 'overlay'); + } + $response->setTargetUrl(url($path, $options)); + } } } diff --git a/core/modules/overlay/overlay.module b/core/modules/overlay/overlay.module index 6d745d6..d95040c 100644 --- a/core/modules/overlay/overlay.module +++ b/core/modules/overlay/overlay.module @@ -178,34 +178,6 @@ function overlay_library_info() { } /** - * Implements hook_drupal_goto_alter(). - */ -function overlay_drupal_goto_alter(&$path, &$options, &$http_response_code) { - if (overlay_get_mode() == 'child') { - // The authorize.php script bootstraps Drupal to a very low level, where - // the PHP code that is necessary to close the overlay properly will not be - // loaded. Therefore, if we are redirecting to authorize.php inside the - // overlay, instead redirect back to the current page with instructions to - // close the overlay there before redirecting to the final destination; see - // overlay_init(). - if ($path == system_authorized_get_url() || $path == system_authorized_batch_processing_url()) { - $_SESSION['overlay_close_dialog'] = array($path, $options); - $path = current_path(); - $options = drupal_get_query_parameters(); - } - - // If the current page request is inside the overlay, add ?render=overlay - // to the new path, so that it appears correctly inside the overlay. - if (isset($options['query'])) { - $options['query'] += array('render' => 'overlay'); - } - else { - $options['query'] = array('render' => 'overlay'); - } - } -} - -/** * Implements hook_batch_alter(). * * If the current page request is inside the overlay, add ?render=overlay to diff --git a/core/modules/system/system.module b/core/modules/system/system.module index c3a3b01..7e91d75 100644 --- a/core/modules/system/system.module +++ b/core/modules/system/system.module @@ -2420,9 +2420,13 @@ function system_authorized_get_url(array $options = array()) { /** * Returns the URL for the authorize.php script when it is processing a batch. + * + * @param array $options + * Optional array of options to pass to url(). */ -function system_authorized_batch_processing_url() { - return system_authorized_get_url(array('query' => array('batch' => '1'))); +function system_authorized_batch_processing_url(array $options = array()) { + $options['query'] = array('batch' => '1'); + return system_authorized_get_url($options); } /** diff --git a/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/EventSubscriber/SessionTestSubscriber.php b/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/EventSubscriber/SessionTestSubscriber.php index c9f1b0a..fb3d776 100644 --- a/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/EventSubscriber/SessionTestSubscriber.php +++ b/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/EventSubscriber/SessionTestSubscriber.php @@ -33,13 +33,27 @@ public function onKernelRequestSessionTest(GetResponseEvent $event) { } /** - * Set header for session testing. + * Performs tasks for session_test module on kernel.response. * * @param \Symfony\Component\HttpKernel\Event\FilterResponseEvent $event * The Event to process. */ public function onKernelResponseSessionTest(FilterResponseEvent $event) { - $event->getResponse()->headers->set('X-Session-Empty', $this->emptySession); + $response = $event->getResponse(); + if ($response instanceOf RedirectResponse) { + // Force the redirection to go to a non-secure page after being on a + // secure page through https.php. + global $base_insecure_url, $is_https_mock; + // Alter the redirect to use HTTP when using a mock HTTPS request through + // https.php because form submissions would otherwise redirect to a + // non-existent HTTPS site. + if (!empty($is_https_mock)) { + $path = $base_insecure_url . '/' . $path; + $response->setTargetUrl($path); + } + } + // Set header for session testing. + $response->headers->set('X-Session-Empty', $this->emptySession); } /** diff --git a/core/modules/system/tests/modules/session_test/session_test.module b/core/modules/system/tests/modules/session_test/session_test.module index b3e82fd..73bf3ff 100644 --- a/core/modules/system/tests/modules/session_test/session_test.module +++ b/core/modules/system/tests/modules/session_test/session_test.module @@ -162,22 +162,6 @@ function session_test_form_user_login_form_alter(&$form) { } /** - * Implements hook_drupal_goto_alter(). - * - * Force the redirection to go to a non-secure page after being on a secure - * page through https.php. - */ -function session_test_drupal_goto_alter(&$path, &$options, &$http_response_code) { - global $base_insecure_url, $is_https_mock; - // Alter the redirect to use HTTP when using a mock HTTPS request through - // https.php because form submissions would otherwise redirect to a - // non-existent HTTPS site. - if (!empty($is_https_mock)) { - $path = $base_insecure_url . '/' . $path; - } -} - -/** * Menu callback, only available if current user is logged in. */ function _session_test_is_logged_in() {