Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Suppose that a user is on node/1 and clicks on a link to node/1/addfavorites?destination=node/1&argument=123123. Then the page callback for node/1/addfavorites tries to fetch an access token.
Once the authentication and authorization is done on the server, we are redirected by the server to the redirect uri: oauth2/authorized. This page should then redirect the user in the saved path node/1/addfavorites?destination=node/1&argument=123123, and then this page should redirect the user to node/1.
Currently, the page oauth2/authorized redirects directly to node/1, which is wrong, because the page node/1/addfavorites is trying to get an access token, not the page node/1.
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | oauth2_client-fix_chain_redirections-2789501-5.patch | 1.52 KB | dashohoxha |
Comments
Comment #2
dashohoxha commenteddrupal_get_destination()is also affected by$_GET['destination'], so it has to be handled carefully.$_GET['destination']comes from a malicious or stupid server, it can totally disrupt the work of the application by misguiding and cheatingdrupal_goto().Comment #3
dashohoxha commentedComment #4
chrisguindon commentedThis patch works for me!
Comment #5
dashohoxha commentedBy looking at the definition of
drupal_get_destination(), I arrived at this new patch, which is simpler, and I believe is equivalent with the previous one.Comment #6
dashohoxha commentedComment #7
chrisguindon commentedpatch #5 applies cleanly for me and I do prefer the simplicity of this new patch! I tested it on my site and it's working!
Comment #9
dashohoxha commented