Hi,

i use drupal 8 for a multilanguage project and i have a problem with destination redirects.
Language detection is set to url and all destination are absolute now.

But drupal core not allow absolute destination links.
Have any one a solution for me?

Best, Sebastian

CommentFileSizeAuthor
#8 2842635-8.patch1.69 KBandreyjan
#5 2842635-5.patch1.68 KBandreyjan
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

1000.grad.digital created an issue. See original summary.

1000.grad.digital’s picture

1000.grad.digital CreditAttribution: 1000.grad.digital commented
Status: Active » Needs work
cilefen’s picture

cilefen CreditAttribution: cilefen commented
Assigned: 1000.grad.digital » Unassigned
Status: Needs work » Active
Issue tags: -destination

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

andreyjan’s picture

andreyjan CreditAttribution: andreyjan at FFW commented
FileSize
2842635-5.patch1.68 KB

Added destination parameter check (UrlHelper::externalIsLocal) in RedirectResponseSubscriber. This fixes the issue.

andreyjan’s picture

andreyjan CreditAttribution: andreyjan at FFW commented
Status: Active » Needs review

Status: Needs review » Needs work

The last submitted patch, 5: 2842635-5.patch, failed testing.

andreyjan’s picture

andreyjan CreditAttribution: andreyjan at FFW commented
FileSize
2842635-8.patch1.69 KB

A small change of base_url used for comparison.

andreyjan’s picture

andreyjan CreditAttribution: andreyjan at FFW commented
Status: Needs work » Needs review
1000.grad.digital’s picture

1000.grad.digital CreditAttribution: 1000.grad.digital commented

Thanks andreyjan! That fixed my problem ;-)

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

borisson_’s picture

borisson_
Primary language Dutch
Location Mechelen, 🇧🇪
CreditAttribution: borisson_ at Calibrate commented
Status: Needs review » Needs work
Issue tags: +Needs reroll, +Needs tests, +Bug Smash Initiative

Needs a reroll, and tests as well. I also wonder how often this comes up, since it hasn't seen any activity in 5 years.

ravi.shankar’s picture

ravi.shankar CreditAttribution: ravi.shankar at OpenSense Labs commented

Tried to add reroll here but I didn't find the sanitizeDestination method in core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php file and not in the Drupal core codebase.

borisson_’s picture

borisson_
Primary language Dutch
Location Mechelen, 🇧🇪
CreditAttribution: borisson_ at Calibrate commented

@ravi.shankar is the bug still reproducable? Because if it isn't, we should probably close this issue instead?

ravi.shankar’s picture

ravi.shankar CreditAttribution: ravi.shankar at OpenSense Labs commented
Issue tags: +Needs steps to reproduce

Yes, then I think we need steps to reproduce the issue as the issue description steps are not mentioned.

borisson_’s picture

borisson_
Primary language Dutch
Location Mechelen, 🇧🇪
CreditAttribution: borisson_ at Calibrate commented
Status: Needs work » Postponed (maintainer needs more info)

Setting to postponed to get the needed information.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone CreditAttribution: quietone at PreviousNext commented
Status: Postponed (maintainer needs more info) » Closed (outdated)

There are no steps to reproduce the problem here. I found that the code in the patch was removed in Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006. Therefor, I am closing this as outdated.