In Drupal 8 and earlier, it is possible for a user to create a path alias that clobbers an essential core route such as "admin" or "user/login". For example, a malicious user with permission to create content using an unfiltered text format and to "Create and edit URL aliases" could override the "user/login" path with a node crafted to look like it but with an HTML form that posted the submission to another URL that harvested the login credentials. Of course less serious abuses can be easily imagined, such as merely rendering certain admin pages inaccessible.
Perhaps the path alias system should, in its validation handler(s) (validation logic is unfortunately duplicated in various places, depending on what interface you create the alias through), make sure that a requested path is not already defined. That could be a UX improvement, too. But then I don't know if that conflicts with behavior that might be considered a feature.
Come to consensus on how to handle the issue.
User interface changes
|FAILED: [[SimpleTest]]: [PHP 5.4 MySQL] Unable to apply patch drupal.sanitize_aliases_121362-39.patch. Unable to apply patch. See the log in the details link for more information.|
|FAILED: [[SimpleTest]]: [MySQL] 55,927 pass(es), 26 fail(s), and 0 exception(s).|
|PASSED: [[SimpleTest]]: [MySQL] 35,101 pass(es).|
|PASSED: [[SimpleTest]]: [MySQL] 35,937 pass(es).|
|PASSED: [[SimpleTest]]: [MySQL] 35,934 pass(es).|