Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.From #2291717: Account url alias lead to Forbidden, I discovered that paths that start with . are possible. Web server configuration will often forbid requests to those paths, since dotfiles tend to be special.
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | 2292017.diff | 535 bytes | drumm |
Comments
Comment #1
drummI put the filtering toward the end of
pathauto_cleanstring()since other filtering may also change the initial characters.Comment #2
Dave ReidWhat is the "Period (.)" punctuation setting set to under admin/config/search/path/settings? By default it should be 'Remove'. Why is that not happening in this case?
Comment #3
Dave ReidComment #4
drummWe allow periods since usernames allow periods.
Comment #5
Dave ReidHrm, then I'm inclined to say this is a Pathauto misconfiguration issue. I would highly recommend using the 'replace with separator' option for periods instead of leaving them alone.
Unless we can research all the potential prefixes that could be forbidden by all the supported webservers of Drupal, I don't feel like this is warranted.
Comment #6
drummSince core, and Drupal.org, allow both "neil.drumm" and "neil-drumm" usernames, it would be ideal to keep the paths as-is, rather than going into "neil-drumm-0". It is an edge case, but we have plenty of usernames, and this sort of thing does happen.
Drupal.org might need to tackle this in web server configuration instead, since we also have #2272429: Searching for strings and usernames starting with . is forbidden. And someone named "foo.module" will probably get the same forbidden message.
Comment #7
kreynen CreditAttribution: kreynen commentedI think I just ran into a user with a user named .John in #2131957: issue when Drupal is not in the web root folder. https://www.drupal.org/user/.john returns a 403 Forbidden.
Comment #8
JKingsnorth CreditAttribution: JKingsnorth commentedThe 'period' issue also happens in Drupal searches. This issue is being addressed for Drupal.org specifically here: #2272429: Searching for strings and usernames starting with . is forbidden
Comment #9
Dave ReidOk I've come around on this. Let's add some test coverage to ensure this has coverage.
Comment #10
Dave ReidComment #11
Dave ReidComment #12
drummI added writing these tests to our internal staff tracker. I'll take a shot at it when it Agiles itself to the top of the backlog. In the meantime, others should feel free to jump in.
Comment #13
Dave ReidComment #14
Dave ReidNot sure what the state of this is, seeing as it was fixable from an htaccess standpoint.
Comment #15
drummYes, this no longer affects Drupal.org.