Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi,
i use drupal 8 for a multilanguage project and i have a problem with destination redirects.
Language detection is set to url and all destination are absolute now.
But drupal core not allow absolute destination links.
Have any one a solution for me?
Best, Sebastian
Comment | File | Size | Author |
---|---|---|---|
#8 | 2842635-8.patch | 1.69 KB | andreyjan |
#5 | 2842635-5.patch | 1.68 KB | andreyjan |
Comments
Comment #2
1000.grad.digital CreditAttribution: 1000.grad.digital commentedComment #3
cilefen CreditAttribution: cilefen commentedComment #5
andreyjan CreditAttribution: andreyjan at FFW commentedAdded destination parameter check (UrlHelper::externalIsLocal) in RedirectResponseSubscriber. This fixes the issue.
Comment #6
andreyjan CreditAttribution: andreyjan at FFW commentedComment #8
andreyjan CreditAttribution: andreyjan at FFW commentedA small change of base_url used for comparison.
Comment #9
andreyjan CreditAttribution: andreyjan at FFW commentedComment #10
1000.grad.digital CreditAttribution: 1000.grad.digital commentedThanks andreyjan! That fixed my problem ;-)
Comment #19
borisson_Needs a reroll, and tests as well. I also wonder how often this comes up, since it hasn't seen any activity in 5 years.
Comment #20
ravi.shankar CreditAttribution: ravi.shankar at OpenSense Labs commentedTried to add reroll here but I didn't find the
sanitizeDestination
method incore/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php
file and not in the Drupal core codebase.Comment #21
borisson_@ravi.shankar is the bug still reproducable? Because if it isn't, we should probably close this issue instead?
Comment #22
ravi.shankar CreditAttribution: ravi.shankar at OpenSense Labs commentedYes, then I think we need steps to reproduce the issue as the issue description steps are not mentioned.
Comment #23
borisson_Setting to postponed to get the needed information.
Comment #25
quietone CreditAttribution: quietone at PreviousNext commentedThere are no steps to reproduce the problem here. I found that the code in the patch was removed in Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006. Therefor, I am closing this as outdated.