Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.We wanted to use the redirect module for our websites but it contains a critical flaw/bug.
It's very easy to create infinite loops. We are a webdesign company. Suppose we have websites with the pathauto and redirect modules enabled.
Suppose there's an editor for a Drupal website with an existing node called 'online marketing'. She changes the title to 'online marketing and more'. Pathauto is enabled, so that the url (online-marketing-and-more) is updated nicely, and the redirect module makes sure that visits to the 'old' url are redirected to the new one. Great so far. Now her boss/colleague sees her change in the website title and disagrees with it, and asks her to put it back to what it was. She edits the node and changes the title back to the original.
Now the redirect module creates a redirect from 'online-marketing-and-more' to 'online-marketing', but does not remove the previous redirect. Drupal now shows the node but with the message 'Oops, looks like this request tried to create an infinite loop. We do not allow such things here. We are a professional website!'. Strange, but she has too little few knowledge and doesn't know what to do (not even having the permissions to administer redirects). Even more worryingly, is that visitors who are not logged in to the website get an 'infinite redirection' message in their browser.
This is, at least as we see it, a critical bug. Two things I think are wrong in the redirect module:
- why does the redirect module try to redirect even if there is an existing page for the url 'online-marketing'.
- why does the redirect module not delete the old redirect from 'online-marketing' to 'online-marketing-and-more' when inserting/updating a node that can be found under 'online-marketing'.
For this first point, I think that in redirect_init, there should be check to menu_get_item to see if the url is recognized. If so, there is no point to check for the existing of a deprecated/old url, because the page exists.
What do you think?
Kind regards,
Bas
Comments
Comment #1
hass commented#1263832: Remove session-based flood / loop detection since it performs poorly, and has unfixable race conditions
Comment #2
ewenss commentedThis bug has completely broken my site since the "infinite loop" is on the home page. Beyond nuking everything, is there some fix?
Comment #3
bvanmeurs commentedGo into the database, find the table where the redirects ar stored and edit or empty it. Make a backup first..
Comment #4
damien_vancouver commentedThere's much more discussion on this bug here: #1796596: Fix and prevent circular redirects
You can try the following two SQL queries to view, and then delete the duplicate redirects causing the problem.
Remember to back up your database before running SQL commands on it!
The Fix (for existing bad data and the Oops message)
Run these SQL queries in your MySQL database. If you have drush installed, you can just "drush sqlc" from your settings directory to get into a MySQL command line. Otherwise you can use PHPMyAdmin, MySQL workbench, or some other client tool to connect and run these:
Show records to be deleted:
Delete redirects shown in above query:
There is also a patch at #1796596: Fix and prevent circular redirects that will probably prevent the error message from reappearing. It's quite easy to have it happen again if you are using pathauto.. so the error message can come back.
Comment #5
nishantkumar155 commentedfor nginx you have to add below code
-------------------------------------------------------------------------
location / {
# try_files $uri $uri/ =404;
try_files $uri $uri/ @rewrite;
index index.php;
}
location @rewrite {
rewrite ^ /index.php;
}
--------------------------------------------------------------------------------