Problem/Motivation

The upstream UrlGenerator provides a list of special characters to decode. We only care about '%2F' => '/'.
But UrlGenerator only applies this decoding to the path of the URL, not to any of the querystring values.

For example, if you wanted to generate admin/config?destination=admin/content, in HEAD you couldn't by using route names, it would come out as admin/config?destination=admin%2Fcontent, with the second / encoded.

Proposed resolution

Find a way to work around the upstream code
Also open an upstream issue

Remaining tasks

User interface changes

API changes

CommentFileSizeAuthor
#17 2345725-query-url-17.patch1.88 KBtim.plunkett
#5 interdiff.txt749 bytestim.plunkett
#5 2345725-query-url-5.patch3.86 KBtim.plunkett
#1 2345725-url-query-params-1.patch3.86 KBtim.plunkett
#1 2345725-url-query-params-1-do-not-test.patch1.59 KBtim.plunkett
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett commented
Status: Active » Needs review
FileSize
2345725-url-query-params-1-do-not-test.patch1.59 KB
2345725-url-query-params-1.patch3.86 KB

Symfony's docs explicitly say that the decodedChars is for "the path segment of the generated URL", not the query string.
So I'm not sure if we should push this upstream. If so, it can be done in doGenerate().

But since that generation is not in a dedicated method, we have to do it after the URL is generated.

In order to add a new test case it took some refactoring of the existing test methods, so I've attached a do-not-test patch with just my changes after the refactoring.

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett commented
Priority: Normal » Critical
Issue summary: View changes
dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Status: Needs review » Needs work

So why the fuck is nobody able to open up an issue against symfony?

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented 
+++ b/core/lib/Drupal/Core/Routing/UrlGenerator.php
@@ -122,6 +122,10 @@ protected function getInternalPathFromRoute(SymfonyRoute $route, $parameters = a
+      list($path, $query) = explode('?', $path);

Can we ensure to use explode(' ..., 2) as always?

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett commented
Status: Needs work » Needs review
FileSize
2345725-query-url-5.patch3.86 KB
interdiff.txt749 bytes

We cannot push this upstream as-is. We'd need to have a second property like $decodedChars that is specifically for query params, otherwise it'd be a Symfony BC break.

Here's the fix for our code.

Crell’s picture

Crell CreditAttribution: Crell commented

If I understand the upstream issue correctly:

- doGenerate() does too much in one method, so we can't easily override just part of it to do this.

- It's unclear if Symfony would consider escaping additional characters in the query parameters to be an API break. (I wouldn't consider it one but Symfony has a tighter BC policy than Drupal at the moment.)

- This is mostly a cosmetic issue, making query parameters actually readable by humans. It shouldn't impact the actual executability of code.

That means our options are:

1) Just do it ourselves post-generate (aka, #5. Easy but a but fugly.)

2) Refactor doGenerate() upstream so that we can override just a bit of it to do whatever escaping we need. (ie, break it into a series of methods; that should be entirely safe from a BC perspective.)

3) Modify doGenerate() upstream to also escape query parameters, if Symfony permits.

I think it's best on this one to defer to upstream. I've pinged fabpot and lsmith for their recommendation on how to proceed.

Fabianx’s picture

Fabianx CreditAttribution: Fabianx commented

Is there a link to an upstream issue?

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented

Well, as always, just a few people actually try to fill these upstream issues: https://github.com/symfony/symfony/issues/12200

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Status: Needs review » Needs work

@tim.plunkett
As someone mentioned on the symfony issue, we cannot escape most of the characters but can only do '?' and '/' which is already enough for our cases.
For example '[' and ']' introduces regressions of arrays in query arguments.

martin107’s picture

martin107 CreditAttribution: martin107 commented
Issue tags: +Needs reroll
dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Status: Needs work » Postponed

Let's mark i actually as postponed on the symfony issue.

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Status: Postponed » Needs work

https://github.com/symfony/symfony/issues/12200 got merged - anything needed here other than a Symfony update now?

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented

@catch
This just got merged into master, so it will be available once 2.6 is released which will be quite time soon. I think its not worth to go to master
just because of that.

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Status: Needs work » Postponed

OK I opened #2366043: Upgrade to Symfony 2.6.0-beta1, let's mark this postponed - if there's a good reason to patch or go to master prior to 2.6, we can re-open for that.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir commented
Status: Postponed » Needs work

That update was committed, so back to needs work?

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented

I think it's just a case of committing the tests here now.

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett commented
Status: Needs work » Needs review
FileSize
2345725-query-url-17.patch1.88 KB

Here's just the test. I can confirm this fails if you comment out the upstream fix to UrlGenerator.

Crell’s picture

Crell CreditAttribution: Crell commented
Status: Needs review » Reviewed & tested by the community

Assuming it passes...

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented

+1

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
Category: Bug report » Task
Priority: Critical » Normal
Status: Reviewed & tested by the community » Fixed
Issue tags: -Needs reroll

Changed category and priority to reflect what the patch is actually doing. This issue is a prioritized change (adding tests) as per https://www.drupal.org/core/beta-changes and it's benefits outweigh any disruption. Committed fd63394 and pushed to 8.0.x. Thanks!

  • alexpott committed fd63394 on 8.0.x 
    Issue #2345725 by tim.plunkett: Query parameters are not decoded the...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.