diff --git a/core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php b/core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php index 5eccaaa..dd72bb7 100644 --- a/core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php +++ b/core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php @@ -93,9 +93,9 @@ public function checkAccess(array $tree) { * TRUE if the current user can access the link, FALSE otherwise. */ protected function menuLinkCheckAccess(MenuLinkInterface $instance) { - if ($this->account->hasPermission('link to any page')) { - return TRUE; - } + if ($this->account->hasPermission('link to any page')) { + return TRUE; + } // Use the definition here since that's a lot faster than creating a Url // object that we don't need. $definition = $instance->getPluginDefinition(); diff --git a/core/lib/Drupal/Core/Path/PathValidator.php b/core/lib/Drupal/Core/Path/PathValidator.php index 3dd13ef..34150ae 100644 --- a/core/lib/Drupal/Core/Path/PathValidator.php +++ b/core/lib/Drupal/Core/Path/PathValidator.php @@ -98,7 +98,7 @@ public function getUrlIfValid($path) { $request = Request::create('/' . $path); $attributes = $this->getPathAttributes($path, $request); - if ($attributes == FALSE) { + if (!$attributes) { return FALSE; } diff --git a/core/lib/Drupal/Core/Url.php b/core/lib/Drupal/Core/Url.php index 989b81d..9fa8f1e 100644 --- a/core/lib/Drupal/Core/Url.php +++ b/core/lib/Drupal/Core/Url.php @@ -9,11 +9,9 @@ use Drupal\Component\Utility\UrlHelper; use Drupal\Core\DependencyInjection\DependencySerializationTrait; -use Drupal\Core\Routing\MatchingRouteNotFoundException; use Drupal\Core\Routing\UrlGeneratorInterface; use Symfony\Cmf\Component\Routing\RouteObjectInterface; use Symfony\Component\HttpFoundation\Request; -use Symfony\Component\Routing\Exception\ResourceNotFoundException; /** * Defines an object that holds information about a URL. @@ -97,10 +95,15 @@ public function __construct($route_name, $route_parameters = array(), $options = } /** - * Returns the Url object matching a path. + * Returns the Url object matching a path. READ THE FOLLOWING SECURITY NOTE. * - * Ensure that you only pass in valid paths. You can validate the paths - * using the 'path.validator' service. + * SECURITY NOTE: The path is not checked to be valid and accessible by the + * current user to allow storing and reusing Url objects by different users. + * The 'path.validator' service getUrlIfValid() method should be used instead + * of this one if validation and access check is desired. Otherwise, + * 'access_manager' service checkNamedRoute() method should be used on the + * router name and parameters stored in the Url object returned by this + * method. * * @param string $path * A path (e.g. 'node/1', 'http://drupal.org'). @@ -121,25 +124,15 @@ public static function createFromPath($path) { // Special case the front page route. if ($path == '') { - $route_name = $path; - $route_parameters = array(); + return new static($path); } else { - // Look up the route name and parameters used for the given path. - // We use the router without access checks because URL objects might be - // created and stored for different users. - $result = \Drupal::service('router.no_access_checks')->match('/' . $path); - $route_name = $result[RouteObjectInterface::ROUTE_NAME]; - $route_parameters = $result['_raw_variables']->all(); + return static::createFromRequest(Request::create($path)); } - return new static($route_name, $route_parameters); } /** - * Returns the Url object matching a request. - * - * Ensure that you only pass in valid paths. You can validate the paths - * using the 'path.validator' service. + * Returns the Url object matching a request. READ THE SECURITY NOTE ON createFromPath(). * * @param \Symfony\Component\HttpFoundation\Request $request * A request object. diff --git a/core/modules/system/system.module b/core/modules/system/system.module index 71d3500..d786681 100644 --- a/core/modules/system/system.module +++ b/core/modules/system/system.module @@ -263,6 +263,7 @@ function system_permission() { ), 'link to any page' => [ 'title' => t('This allows to bypass access checking when linking to internal paths.'), + 'restrict access' => TRUE, ], ); }