Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
$http_host
will contain a .
or two, which is a special character for regexps and should be quoted. This would also remove the slim possibility of using this as part of a ReDoS attack.
Comment | File | Size | Author |
---|---|---|---|
#14 | drupal-file_url_transform_relative-2257231-14.patch | 2.62 KB | Sebastien M. |
#12 | drupal-file_url_transform_relative-2257231-12.patch | 2.59 KB | Sebastien M. |
#3 | 2257231.diff | 438 bytes | drumm |
Comments
Comment #1
drummComment #2
drumm(fix typo in issue summary)
Comment #3
drummAdding the delimiter to
preg_quote()
.Comment #5
drummThat seems unreasonable.
Comment #6
drumm3: 2257231.diff queued for re-testing.
Comment #7
meeli CreditAttribution: meeli commentedSeems reasonable, but it seems like we need some tests for this to make sure it outputs what we're expecting.
Comment #8
drummComment #12
Sebastien M. CreditAttribution: Sebastien M. commentedThis patch includes kernel tests
Comment #14
Sebastien M. CreditAttribution: Sebastien M. commentedmy fault, file paths updated.
Comment #15
Sebastien M. CreditAttribution: Sebastien M. commentedComment #18
Jody LynnI actually just got bit by this issue.
I'm serving files from s3 with URLs like https://foo-org-private.s3.amazonaws.com/.... on the site foo.org. So the result of file_url_transform_relative (which was called by FileMediaFormatterBase) was to change my URLs to be -private.s3.amazonaws.com/....
Not only did it mix up the -org with .org as described here, but it also didn't mind that my domain name only began with my host domain rather than matching it.
Comment #19
Jody LynnConfirmed the patch fixes it.
Comment #20
alexpottI've confirmed the tests fail without the fix.
Comment #21
alexpottCrediting @Jody Lynn for testing that fix covers the scenario detailed in #18.
Committed d32d0c5 and pushed to 8.6.x. Thanks!
Setting to patch to be ported to backport to 8.5.x once the commit freeze is over.
Comment #24
alexpott