If you create a theme with a 2-character name using the color module, the generated styles.css has the wrong path to images.

The problem occurs in _color_rewrite_stylesheet() in the line:

    $before = preg_replace('`(^|/)(?!../)([^/]+)/../`', '$1', $before);

If the intention is to simplify paths including '..' (eg /a/b/c/../d to /a/b/d ) then the dots need escaping:

    $before = preg_replace('`(^|/)(?!\.\./)([^/]+)/\.\./`', '$1', $before);

Alternatively, don't use two-character theme or directory names ...

CommentFileSizeAuthor
#2 themes_using_two_chars_break_color_img_rewrite-2879473-2.patch634 bytesDaniel.Moberly
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

ayduns created an issue. See original summary.

Daniel.Moberly’s picture

Daniel.Moberly CreditAttribution: Daniel.Moberly commented
FileSize
themes_using_two_chars_break_color_img_rewrite-2879473-2.patch634 bytes

Tested and confirmed this issue exists in Drupal 8 as well.

I believe the intention is to replace paths like /core/themes/bartik/img/../test.svg with /core/themes/bartik/test.svg which is functionally equivalent. However, you are correct that the periods in '../' are not correctly escaped and thus paths like /core/themes/aa/test.svg/ are incorrectly replaced with /core/test.svg.

Attaching a patch for D8.

Daniel.Moberly’s picture

Daniel.Moberly CreditAttribution: Daniel.Moberly commented
Version: 7.x-dev » 8.4.x-dev
Component: base system » color.module
Status: Active » Needs review

Updating to a D8 issue

Daniel.Moberly’s picture

Daniel.Moberly CreditAttribution: Daniel.Moberly commented
Issue tags: +Needs backport to D7

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

borisson_’s picture

borisson_
Primary language Dutch
Location Mechelen, 🇧🇪
CreditAttribution: borisson_ as a volunteer and at Dazzle commented
Status: Needs review » Needs work
Issue tags: +Needs tests

This patch still applies, but I think this needs tests. Setting to needs work and adding that tag.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone CreditAttribution: quietone at PreviousNext commented
Project: Drupal core » Color backport
Version: 9.5.x-dev » 2.x-dev
Component: color.module » Code

Color has been removed from core, #3270899: Remove Color module from core.