Problem/Motivation
Go to /admin/content and click Delete for some node entity.
Now you are on the Confirm page, where the Cancel Url points to '/content' instead to '/admin/content'.
The problem relies in ConfirmFormHelper::buildCancelLink, where from the query we get destination = '/admin/content', but before calling Url::fromUserInput for this path, we add a slash infront of the path. So we call Url::fromUserInput with the path '//admin/content' which returns '/content'. If we do not add the slash in front of the path, then the returned url points correctly to '/admin/content'.
Proposed resolution
Do not prepend a slash to the destination path in ConfirmFormHelper::buildCancelLink.
Remaining tasks
none
User interface changes
none
API changes
none
Comment | File | Size | Author |
---|---|---|---|
#10 | 2501655-url-10-PASS.patch | 1.91 KB | tim.plunkett |
fix_cancel_links.patch | 714 bytes | hchonov | |
#4 | cancel_urls_for_delete-2501655-4.patch | 732 bytes | willzyx |
#8 | 2501655-url-8-PASS.patch | 1.2 KB | tim.plunkett |
#8 | 2501655-url-8-FAIL.patch | 1.2 KB | tim.plunkett |
Comments
Comment #2
willzyx CreditAttribution: willzyx commentedI cannot replicate the issue.. and looking at Url::fromUserInput
Comment #3
hchonov@willzyx I made a new checkout and I still have the same problem.
What url to points the cancel button under /node/1/delete?destination=/admin/content in your installation? You go to this path when you point to /admin/content and from the table select delete for one of the node entities. Caution, do not go to the node entity and then to the local task delete, but select delete from the operations column from the table under /admin/content.
I tested with the node and the term entities and for both I get in ConfirmFormHelper::buildCancelLink the path with a leading slash and then a second one slash is being prepended.
Comment #4
willzyx CreditAttribution: willzyx commented@hchonov ok i got it. Running installation in a subdirectory (http://drupal.dev/drupal/) like I did when i tested the back link works as expected (and also the testbot runs installation in a subfolder).
If the docroot of the web server coincides with installation folder (http://drupal.dev/) the issue is reproducible.
this sadly underlines that there is not complete tests coverage for these cases
Comment #5
hchonovIs this issue maybe related? It address also double slashes... #2504141: Information disclosure/open redirect vulnerability via blocks that contain a form
Comment #6
webchickVery nice catch!
Let's make sure we add an automated test here so we don't break this again.
Comment #7
tim.plunkettThis also fixes #2504671: /admin/content delete VBO cancel link goes to /content
I'm going to try my hand at some test coverage
Comment #8
tim.plunkettWe had test coverage, it just wasn't complete enough.
Comment #9
tim.plunkettComment #10
tim.plunkettUploaded the FAIL patch twice.
Comment #12
dawehnerCool!
Comment #13
webchickAwesome, thanks!
Committed and pushed to 8.0.x.