with drupal 7.35 the destination url parameter is sanitized in bootstrap.inc
i'm using an external library that passes a destination array as url parameter.
this creates a warning, because url_is_external($path) expects $path to be a string and is using some string functions like strpos on it.
Furthermore the $_GET['destination'] gets unset.

function _drupal_bootstrap_variables() {
  ....
  // Sanitize the destination parameter (which is often used for redirects) to
  // prevent open redirect attacks leading to other domains. Sanitize both
  // $_GET['destination'] and $_REQUEST['destination'] to protect code that
  // relies on either, but do not sanitize $_POST to avoid interfering with
  // unrelated form submissions. The sanitization happens here because
  // url_is_external() requires the variable system to be available.
  if (isset($_GET['destination']) || isset($_REQUEST['destination'])) {
    require_once DRUPAL_ROOT . '/includes/common.inc';
    // If the destination is an external URL, remove it.
    if (isset($_GET['destination']) && url_is_external($_GET['destination'])) {
      unset($_GET['destination']);
      unset($_REQUEST['destination']);
    }
    // If there's still something in $_REQUEST['destination'] that didn't come
    // from $_GET, check it too.
    if (isset($_REQUEST['destination']) && (!isset($_GET['destination']) || $_REQUEST['destination'] != $_GET['destination']) && url_is_external($_REQUEST['destination'])) {
      unset($_REQUEST['destination']);
    }
  }
}

a possible fix would be a check if $_GET['destination'] or $_REQUEST['destination'] are arrays.

...
if ((isset($_GET['destination']) && !is_array($_GET['destination'])) || (isset($_REQUEST['destination']) && !is_array($_REQUEST['destination']))) {
...
}
CommentFileSizeAuthor
#1 drupal-destination-url-parameter-bug-2456331-1.patch850 bytesmukki182
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

mukki182’s picture

mukki182 CreditAttribution: mukki182 commented
FileSize
drupal-destination-url-parameter-bug-2456331-1.patch850 bytes

added a patch

mukki182’s picture

mukki182 CreditAttribution: mukki182 commented
Version: 7.35 » 7.41
mukki182’s picture

mukki182 CreditAttribution: mukki182 commented
Status: Active » Needs review
mukki182’s picture

mukki182 CreditAttribution: mukki182 commented
Version: 7.41 » 7.43
Elijah Lynn’s picture

Elijah Lynn
Location Portland, Oregon
CreditAttribution: Elijah Lynn at NBCUniversal commented

Just ran into this as well with a $form['destination'] and the POST has an array in $_REQUEST['destination'] now and gives the same error. The workaround would also be to refactor the form I guess, would much rather core take care of this though. I will consider this patch.

Thanks for posting this issue.

Elijah Lynn’s picture

Elijah Lynn
Location Portland, Oregon
CreditAttribution: Elijah Lynn at NBCUniversal commented

The commit message for this code in Drupal is simply "Drupal 7.35'. There is no issue associated with this change.

http://cgit.drupalcode.org/drupal/commit/?id=b44056d2f8e8c71d35c85ec5c2f...

Elijah Lynn’s picture

Elijah Lynn
Location Portland, Oregon
CreditAttribution: Elijah Lynn at NBCUniversal commented

I should add that $_REQUEST is populated with values from $_POST.

Elijah Lynn’s picture

Elijah Lynn
Location Portland, Oregon
CreditAttribution: Elijah Lynn at NBCUniversal commented
Status: Needs review » Reviewed & tested by the community

This appears to be an okay solution and is working. I get the feeling we don't need this for our $_POST case but until I figure that out I feel good enough to run this in production.

Fabianx’s picture

Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commented
Status: Reviewed & tested by the community » Needs work

I am very back-and-forth on this issue.

a) It is a regression as the security fix has broken existing code

b) It is a security fix and destination is really internal to Drupal

To check for is_array() is fine, but the consequence would be to still unset it as IIRC an array even is valid as destination.

So thanks for the bug report, but please do not try to deal with the destination parameter, it is bad if someone can lead you to vulnerablesite.com automatically or do a phishing attempt.

Here is a work-around:

- In $settings.php check for $_GET['destination'] and if its an array in your preferred format put it into another variable instead.

settings.php is before _drupal_bootstrap_variables() so that should work.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein as a volunteer commented
Version: 7.43 » 8.1.x-dev
Issue tags: -destination, -bootstrap.inc, -bootstrap +Needs backport to D7

The same code exists in Drupal 8 also: https://api.drupal.org/api/drupal/core!lib!Drupal!Core!EventSubscriber!R...

So Drupal for a long time has assumed in various places that $_GET['destination'] is a string -- Drupal 7.35 didn't introduce that, just made the assumption happen on all page requests so it's more visible now. (But it may actually have introduced the assumption that $_REQUEST['destination'] is a string.)

What Fabianx said makes sense to me - is_array() could be used to avoid the warnings, but the most reasonable thing to do if it is an array still sounds like unsetting it.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented
Version: 9.4.x-dev » 7.x-dev
Issue tags: +Bug Smash Initiative

This is no longer an issue in Drupal 9, as we support an array for the destination parameter.

You can see this by going to manage fields on the article content type and clicking add field, then adding a new field

The url has

?destinations[0][route_name]=entity.field_config.node_field_edit_form&destinations[0][route_parameters][field_config]=node.article.kjljhg&destinations[0][route_parameters][node_type]=article&destinations[1][route_name]=entity.node.field_ui_fields&destinations[1][route_parameters][field_config]=node.article.kjljhg&destinations[1][route_parameters][node_type]=article&destinations[2]=/admin/structure/types/manage/article/fields/add-field

I.e an array of destinations so that you go between the 'manage field storage', 'manage field' and then back to 'manage fields'.

luenemann’s picture

luenemann
Primary language German
Location Südbaden, Germany
CreditAttribution: luenemann at Equinoxe GmbH commented
Version: 7.x-dev » 9.4.x-dev

This is still a problem in Drupal 9 and 10.

Add ?destination[] to URL.

  • In D9 you get 5 php warnings and 1 php notice. The first warning is:
    Warning: strpos() expects parameter 1 to be string, array given in Drupal\Component\Utility\UrlHelper::parse() (line 145 of /var/www/html/web/core/lib/Drupal/Component/Utility/UrlHelper.php)
#0 /var/www/html/web/core/includes/bootstrap.inc(347): _drupal_error_handler_real(2, 'strpos() expect...', '/var/www/html/w...', 145)
#1 [internal function]: _drupal_error_handler(2, 'strpos() expect...', '/var/www/html/w...', 145, Array)
#2 /var/www/html/web/core/lib/Drupal/Component/Utility/UrlHelper.php(145): strpos(Array, '://')
#3 /var/www/html/web/core/lib/Drupal/Core/Security/RequestSanitizer.php(141): Drupal\Component\Utility\UrlHelper::parse(Array)
#4 /var/www/html/web/core/lib/Drupal/Core/Security/RequestSanitizer.php(103): Drupal\Core\Security\RequestSanitizer::checkDestination(Array, Array)
  • In D10 you get a WSOD and the php error is:
    Symfony\Component\HttpFoundation\Exception\BadRequestException: Input value "destination" contains a non-scalar value. in Symfony\Component\HttpFoundation\InputBag->get() (line 37 of /var/www/html/vendor/symfony/http-foundation/InputBag.php)
#0 /var/www/html/core/lib/Drupal/Core/Security/RequestSanitizer.php(93): Symfony\Component\HttpFoundation\InputBag->get('destination')

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.