Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.This was first noted elsewhere by @quicksketch but I'm posting a patch to fix it now.
The Redirect module calls urldecode() on data from $_GET before putting it in a form field. Per http://php.net/manual/en/function.urldecode.php that should never be necessary since data in $_GET is already decoded. Decoding it again can only lead to bugs. (In the general case, it can lead to security issues also, but when the security team discussed this we didn't think there was any security issue in this particular case.)
This patch is for Drupal 7. For Drupal 8, there are some urldecode() calls too, but it's not obvious to me if they should be removed or not.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | redirect-2886217-2.patch | 1.01 KB | David_Rothstein |
| |||
Comments
Comment #2
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedHere is the patch.