Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
redirect_goto leads to the blank page always if some of the status codes here redirect_status_code_options() is translated not correctly.
Source of the issue is: drupal_add_http_header('Status', redirect_status_code_options($redirect->status_code));
As in redirect_status_code_options() statuses are wrapped in t(), it can be a reason of vulnerability.
Status header should be started always with the number like "301 ...", if someone translates locale string for example "301 Moved Permanently" like "Content is moved (301)", redirects become to be broken for whole site.
Comment | File | Size | Author |
---|---|---|---|
#3 | redirect.status-codes-issue.2820766-2.patch | 852 bytes | anton.shloma |
Comments
Comment #2
anton.shloma CreditAttribution: anton.shloma as a volunteer and at DrupalJedi commentedHere is simple patch, which fixes this vulnerability.
Comment #3
anton.shloma CreditAttribution: anton.shloma as a volunteer and at DrupalJedi commentedSry, correct patch is attached
Comment #4
anton.shloma CreditAttribution: anton.shloma as a volunteer and at DrupalJedi commentedComment #7
Stevel CreditAttribution: Stevel commentedYes, this looks good indeed. The actual status code number should not be passed to translators.
Comment #8
pifagorRTBC
Comment #9
alex_optimLooks good.
Comment #10
pifagorComment #13
pifagorComment #15
ciss CreditAttribution: ciss at yousign GmbH commentedIsn't the real issue here that the translated string is used in the status header?
Comment #16
ciss CreditAttribution: ciss at yousign GmbH commented... Well, the good news is that header injections are prevented by PHP: