diff --git a/core/lib/Drupal/Core/EventSubscriber/RedirectLeadingSlashes.php b/core/lib/Drupal/Core/EventSubscriber/RedirectLeadingSlashes.php index 41f6377..0480161 100644 --- a/core/lib/Drupal/Core/EventSubscriber/RedirectLeadingSlashes.php +++ b/core/lib/Drupal/Core/EventSubscriber/RedirectLeadingSlashes.php @@ -29,8 +29,10 @@ public function redirect(GetResponseEvent $event) { $path = $request->getPathInfo(); // It is impossible to create a link or a route to a path starting with - // leading slashes. However if a form is added to the 404 page that submits - // back to the same URI this presents an open redirect vulnerability. + // multiple leading slashes. However if a form is added to the 404 page that + // submits back to the same URI this presents an open redirect + // vulnerability. Also, Drupal 7 renders the same page for + // http://www.example.org/foo and http://www.example.org////foo. if (strpos($path, '//') === 0) { $path = '/' . ltrim($path, '/'); $qs = $request->getQueryString();