Problem/Motivation

By accessing a site an an unexpected base path (e.h. with index.php) I may be able to force links to be cached that way and that could be considered a minor site defacement and possibly lead to a duplicate content SEO penalty too.

Expected behavior:

If I am on the homepage / using clean URLs (index.php is not in the URL)
The link to "My Account" is using a clean URL also

If manually navigate to /index.php
The link to "My Account" is rendered with /index.php in the path

If I clear cache and manually navigate to /index.php
And then navigate to the clean URL /
The link to "My Account" is using a clean URL also

Actual behavior:

If I am on the homepage / using clean URLs (index.php is not in the URL)
The link to "My Account" is using a clean URL also

If manually navigate to /index.php
The link to "My Account" is NOT CORRECTLY rendered with /index.php in the path

If I clear cache and manually navigate to /index.php
And then navigate to the clean URL /
The link to "My Account" is NOT CORRECTLY using a clean URL also

Only rendered absolute URLs reflect the index.php in the base URL because that's the only time the UrlGenerator sets the cache context.

Steps to reproduce

  • Rebuild caches
  • Add index.php immediately after the domain name. E.g. https://site.tld/index.php
  • Now click on any link on the frontend (node, menu items, etc.) and observe that index.php is persisting in the URL
  • Manually remove it from the URL and click on a few more links
  • Observe that it's coming back almost always with the default theme (Bartik)
  • Observe that on backend links it does not seem to be interfering, except on the first link you click on when you're still within Bartik (which makes sense)

Proposed resolution

Add the cache context 'url.site' to all GeneratedUrl objects in \Drupal\Core\Routing\UrlGenerator::generateFromRoute except in the _no_path case

OR

define a new cache context that depends on the base url of the request, but not the scheme and host.

OR

Close this issue in favor of a new feature allowing Drupal to 403 on an unexpected base URL via settings.php like the trusted hosts setting

Remaining tasks

Write a test showing the bug

User interface changes

none

API changes

none

Data model changes

none

CommentFileSizeAuthor
#36 2819197-36.patch13.44 KBandypost
#36 interdiff.txt649 bytesandypost
#35 2819197-35.patch13.44 KBandypost
#35 interdiff.txt6.82 KBandypost
#34 2819197-34.patch7.48 KBandypost
#31 2819197-31.patch6.37 KBAnkit.Gupta
#27 2819197-27.patch7.53 KBkarishmaamin
#8 increment-2819197-8.txt6.54 KBpwolanin
#8 2819197-8.patch8.86 KBpwolanin
#6 2819197-6.patch2.33 KBpwolanin
#2 2819197-2.patch1.19 KBpwolanin
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

pwolanin created an issue. See original summary.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer and at SciShield commented
Status: Active » Needs review
Issue tags: +Needs tests
FileSize
2819197-2.patch1.19 KB

Here's a possible simple fix. NR for bot (needs tests)

Status: Needs review » Needs work

The last submitted patch, 2: 2819197-2.patch, failed testing.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer and at SciShield commented

Hmm, fun - that adds another cache context to a lot of things.

Probably need some feedback here from Wim Leers, berdir, or core maintainers about the relative importance of fixing this.

I stumbled on this via #2818185: Views methods FieldPluginBase::renderAsLink and renderText() uses base_path() when it should use $context->getBaseUrl()

It seems like views link rendering and and other things may not work as expected if the rendered url can get cached with an unexpected index.php in the base url.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer and at SciShield commented
Version: 8.2.x-dev » 8.3.x-dev

From discussion with catch, bumping to 8.3 for now since it requires a new cache context to fix correctly.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer and at SciShield commented
Status: Needs work » Needs review
FileSize
2819197-6.patch2.33 KB

back to NR for bot - expect I will see some of the same unit test fails

Status: Needs review » Needs work

The last submitted patch, 6: 2819197-6.patch, failed testing.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer and at SciShield commented
Status: Needs work » Needs review
FileSize
2819197-8.patch8.86 KB
increment-2819197-8.txt6.54 KB

With some possible test fixes

Status: Needs review » Needs work

The last submitted patch, 8: 2819197-8.patch, failed testing.

Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers at Acquia commented
Priority: Normal » Minor

I'm pretty sure we discussed this very problem before, but if so, we obviously failed, because we didn't document our reasoning for not implementing the expected behavior described in the IS

This is what I think I remember:

  1. a site is either accessed via http://example.com or http://somedomain.com/example, not both
  2. for similar reasoning, a site is either accessed via http://example.com or http://example.com/index.php, not both

IMO this is up to framework managers to decide whether this is a bug or intentional. In any case, I think this is a very minor edge case.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer and at SciShield commented
Issue summary: View changes
Priority: Minor » Normal
Related issues: +#2818185: Views methods FieldPluginBase::renderAsLink and renderText() uses base_path() when it should use $context->getBaseUrl()

So assuming we get #2818185: Views methods FieldPluginBase::renderAsLink and renderText() uses base_path() when it should use $context->getBaseUrl() fixed soon also, this bug may cause Views to incorrectly render links if the site is accessed with different base paths.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer and at SciShield commented
Issue summary: View changes

Or, we could close this issue in favor of a new feature allowing Drupal to 403 on an unexpected base URL via settings.php like the trusted hosts setting

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Issue tags: +Needs framework manager review
anavarre’s picture

anavarre
Primary language French
Location 🇪🇺
CreditAttribution: anavarre at Acquia commented

Just registering I've seen this issue ~5 times on different sites in the past month and very confused people not knowing what to do and certainly not looking at cached paths but instead .htaccess redirects or anything that would alter paths instead.

anavarre’s picture

anavarre
Primary language French
Location 🇪🇺
CreditAttribution: anavarre at Acquia commented
Issue summary: View changes

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost as a volunteer and at Skilld commented
Issue tags: +Needs reroll

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

karishmaamin’s picture

karishmaamin CreditAttribution: karishmaamin at Specbee commented
Status: Needs work » Needs review
FileSize
2819197-27.patch7.53 KB

Re-rolled against 9.4.x

Status: Needs review » Needs work

The last submitted patch, 27: 2819197-27.patch, failed testing. View results

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Ankit.Gupta’s picture

Ankit.Gupta CreditAttribution: Ankit.Gupta at Dotsquares Ltd. commented
Status: Needs work » Needs review
Issue tags: -Needs reroll
FileSize
2819197-31.patch6.37 KB

Rerolled the patch #27 with Drupal 10.1.x

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs review » Needs work
Issue tags: +Needs Review Queue Initiative, +Needs change record

Seems last patch had a number of failures.

Adding a new service will require a change record.

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost as a volunteer and at Skilld commented
Parent issue: » #2491981: There are too many ways to generate URLs and links
andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost as a volunteer and at Skilld commented
FileSize
2819197-34.patch7.48 KB

Proper re-roll to get number of failed tests, looks a lot of tests needs to add new context

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost as a volunteer and at Skilld commented
Status: Needs work » Needs review
FileSize
interdiff.txt6.82 KB
2819197-35.patch13.44 KB

fix some tests

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost as a volunteer and at Skilld commented
FileSize
interdiff.txt649 bytes
2819197-36.patch13.44 KB

Fix CS

Status: Needs review » Needs work

The last submitted patch, 36: 2819197-36.patch, failed testing. View results

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented 
+++ b/core/modules/block/tests/src/Functional/Views/DisplayBlockTest.php
@@ -318,7 +318,7 @@ public function testBlockEmptyRendering() {
     // empty block.
     $this->assertCacheTags(array_merge($block->getCacheTags(), ['block_view', 'config:block_list', 'config:views.view.test_view_block', 'http_response', 'rendered']));
-    $this->assertCacheContexts(['url.query_args:_wrapper_format']);
+    $this->assertCacheContexts(['url.base', 'url.query_args:_wrapper_format']);

This is an expensive fix if we end up with this cache context pretty much everywhere, leads to a ton of cache redirects. Would pretty much need to consider making this a required cache context then.