Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This code:
$options = drupal_parse_url(urldecode($_GET['destination']));
Documentation has an example where $_GET['destination']
is used directly and urldecode
is not used with drupal_parse_url()
anywhere else in core.
Comment | File | Size | Author |
---|---|---|---|
#10 | unnecessary-urldecode-1569580-10.patch | 524 bytes | naxoc |
unnecessary-urldecode.patch | 544 bytes | naxoc | |
Comments
Comment #1
August1914 CreditAttribution: August1914 commentedComment #2
August1914 CreditAttribution: August1914 commentedPatch applies cleanly, and it makes sense, but I couldn't find a path to the scenario that executes that line of code is system.module
function confirm_form
in the case where
isset($_GET['destination')
evaluates to true, to get to the changed line.
Comment #3
webchickconfirm_form() fires whenever you do something like, say, delete a node or a URL alias or similar and it displays an "are you sure?" message.
Note that if you ever want to know where core uses a particular function, you can go to a page like http://api.drupal.org/api/drupal/modules%21system%21system.module/functi... and scroll down to the "XX calls to function_name()" part. This takes you to a page like http://api.drupal.org/api/drupal/modules%21system%21system.module/functi... that lets you see the function used in context.
Hope that helps!
Comment #4
August1914 CreditAttribution: August1914 commentedThanks for the link, that is helpful. The question here is how to get a manual test which covers the code change; tracing into system.confirm_form() is straight forward, but the condition guarding the code change is always false (for me).
Here's the whole statement:
the changed line is
$options = drupal_parse_url($_GET['destination']);
the guard condition is
if (isset($_GET['destination']))
So far is I can tell,
grep -r "\$_GET\['destination'\] =" .
$_GET['destination'] will only be set if our path has taken us through a MENU_ACCESS_DENIED or MENU_NOT_FOUND (common.inc drupal_deliver_html_page), and one scenario in batch.inc.
If there is no way to get to the code, maybe it could be removed, rather than fixed to comply with the docs. In any case this is a small matter, maybe we should just clear this change as it is...
Comment #5
tim.plunkettOn the page
http://d7.local/admin/content
, click delete on a node. The URL will be something like http://d7.local/node/52/delete?destination=admin/contentComment #6
dags CreditAttribution: dags commentedComment #7
dags CreditAttribution: dags commentedConfirmed that use of urldecode() is indeed unnecessary. Needs backport to 7.
Comment #8
dags CreditAttribution: dags commentedfixing tag
Comment #9
catchCommitted/pushed to 8.x, moving to 7.x for backport.
Comment #10
naxoc CreditAttribution: naxoc commentedReroll for D7.
Comment #11
naxoc CreditAttribution: naxoc commented10: unnecessary-urldecode-1569580-10.patch queued for re-testing.
Comment #12
dcam CreditAttribution: dcam commentedThis is the exact same change that went into D8.
Comment #14
er.pushpinderrana CreditAttribution: er.pushpinderrana commented10: unnecessary-urldecode-1569580-10.patch queued for re-testing.
Comment #15
dcam CreditAttribution: dcam commentedComment #17
dcam CreditAttribution: dcam commented10: unnecessary-urldecode-1569580-10.patch queued for re-testing.
Comment #18
mgiffordComment #21
mgiffordComment #24
dcam CreditAttribution: dcam commentedComment #27
dcam CreditAttribution: dcam commentedComment #29
Damien Tournoud CreditAttribution: Damien Tournoud commentedThis is not only unnecessary, it is totally incorrect. I don't understand why this was committed to 8.x without tests.
Comment #32
arnested CreditAttribution: arnested at Reload commentedThis fix went into Drupal 7.52 as a security fix.