Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it. [#3145557]

Just installed this plugin in D8 (8.8.6) website.

To reproduce the error

1. Login as non admin
2. Enable maintenance mode
3. Refresh page (from non admin user)
4. Page will show errorRedirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it.
5. Refresh again, error is gone, maintenance page shows up.

edit:

This doesn't help

$settings['trusted_host_patterns'] = [ '.*' ];

dd($response);

^ Symfony\Component\HttpFoundation\RedirectResponse {#35 ▼
  #targetUrl: "/"
  +headers: Symfony\Component\HttpFoundation\ResponseHeaderBag {#749 ▼
    #computedCacheControl: array:2 [▶]
    #cookies: []
    #headerNames: array:3 [▶]
    #headers: array:3 [▼
      "cache-control" => array:1 [▶]
      "date" => array:1 [▶]
      "location" => array:1 [▼
        0 => "/"
      ]
    ]
    #cacheControl: []
  }
  #content: """
    <!DOCTYPE html>
    <html>
        <head>
            <meta charset="UTF-8" />
            <meta http-equiv="refresh" content="0;url='/'" />
    
            <title>Redirecting to /</title>
        </head>
        <body>
            Redirecting to <a href="/">/</a>.
        </body>
    </html>
    """
  #version: "1.0"
  #statusCode: 200
  #statusText: "OK"
  #charset: null

I read somewhere absolute urls are required?

Comment	File	Size	Author
#11	issue3145557.patch	1.22 KB	barrett
#5	3145557.patch	1.39 KB	lusitaniae

Comments

Comment #1

4 June 2020 at 04:25

lusitaniae created an issue. See original summary.

Comment #2

lusitaniae commented 4 June 2020 at 08:46

Issue summary:

View changes

Comment #3

lusitaniae commented 4 June 2020 at 09:18

Issue summary:

View changes

Comment #4

barrett commented 4 June 2020 at 09:34

Could you include a full stack trace for the error you're reporting? This module isn't setting a redirect. All it does is set the status code on the response object.

https://git.drupalcode.org/project/maintenance200/-/blob/8.x-1.x/src/Eve...

<?php
  /**
   * Respond to RESPONSE Kernel event by setting status code if in maintenance.
   *
   */
  public function onKernelResponse(FilterResponseEvent $event) {
    if ($this->config->get('maintenance200_enabled')) {
      $status_code = $this->config->get('maintenance200_status_code');
      $request = $event->getRequest();
      $routeMatch = RouteMatch::createFromRequest($request);
      $response = $event->getResponse();

      if ($this->maintenanceMode->applies($routeMatch) && !$this->maintenanceMode->exempt($this->account)) {
        $response->setStatusCode($status_code);
        $event->setResponse($response);
      }
    }
  }


?>

Comment #5

lusitaniae commented 4 June 2020 at 09:35

Status	File	Size
new	3145557.patch	1.39 KB

proposed patch

Comment #6

lusitaniae commented 4 June 2020 at 09:48

Thanks for looking into this

Hereby the stack trace

Maintenance mode seems to work as expected without using the plugin,
when I enable the plugin it shows the error mentioned in the stack trace.


User error: Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it. in Drupal\Core\EventSubscriber\RedirectResponseSubscriber->checkRedirectUrl() (line 84 of /var/www/default/web/core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php)
#0 /var/www/default/web/core/includes/bootstrap.inc(600): _drupal_error_handler_real(256, 'Redirects to ex...', '/var/www/drupal...', 84, Array)
#1 [internal function]: _drupal_error_handler(256, 'Redirects to ex...', '/var/www/drupal...', 84, Array)
#2 /var/www/default/web/core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php(84): trigger_error('Redirects to ex...', 256)
#3 [internal function]: Drupal\Core\EventSubscriber\RedirectResponseSubscriber->checkRedirectUrl(Object(Symfony\Component\HttpKernel\Event\FilterResponseEvent), 'kernel.response', Object(Drupal\Component\EventDispatcher\ContainerAwareEventDispatcher))
#4 /var/www/default/web/core/lib/Drupal/Component/EventDispatcher/ContainerAwareEventDispatcher.php(111): call_user_func(Array, Object(Symfony\Component\HttpKernel\Event\FilterResponseEvent), 'kernel.response', Object(Drupal\Component\EventDispatcher\ContainerAwareEventDispatcher))
#5 /var/www/default/vendor/symfony/http-kernel/HttpKernel.php(191): Drupal\Component\EventDispatcher\ContainerAwareEventDispatcher->dispatch('kernel.response', Object(Symfony\Component\HttpKernel\Event\FilterResponseEvent))
#6 /var/www/default/vendor/symfony/http-kernel/HttpKernel.php(130): Symfony\Component\HttpKernel\HttpKernel->filterResponse(Object(Symfony\Component\HttpFoundation\RedirectResponse), Object(Symfony\Component\HttpFoundation\Request), 1)
#7 /var/www/default/vendor/symfony/http-kernel/HttpKernel.php(68): Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object(Symfony\Component\HttpFoundation\Request), 1)
#8 /var/www/default/web/core/lib/Drupal/Core/StackMiddleware/Session.php(57): Symfony\Component\HttpKernel\HttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#9 /var/www/default/web/core/lib/Drupal/Core/StackMiddleware/KernelPreHandle.php(47): Drupal\Core\StackMiddleware\Session->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#10 /var/www/default/web/core/modules/page_cache/src/StackMiddleware/PageCache.php(106): Drupal\Core\StackMiddleware\KernelPreHandle->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#11 /var/www/default/web/core/modules/page_cache/src/StackMiddleware/PageCache.php(85): Drupal\page_cache\StackMiddleware\PageCache->pass(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#12 /var/www/default/vendor/asm89/stack-cors/src/Asm89/Stack/Cors.php(49): Drupal\page_cache\StackMiddleware\PageCache->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#13 /var/www/default/web/core/lib/Drupal/Core/StackMiddleware/ReverseProxyMiddleware.php(47): Asm89\Stack\Cors->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#14 /var/www/default/web/core/lib/Drupal/Core/StackMiddleware/NegotiationMiddleware.php(52): Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#15 /var/www/default/vendor/stack/builder/src/Stack/StackedHttpKernel.php(23): Drupal\Core\StackMiddleware\NegotiationMiddleware->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#16 /var/www/default/web/core/lib/Drupal/Core/DrupalKernel.php(708): Stack\StackedHttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#17 /var/www/default/web/index.php(19): Drupal\Core\DrupalKernel->handle(Object(Symfony\Component\HttpFoundation\Request))
#18 {main}

fyi don't have much experience with Drupal

I understand my patch won't work as intended just now

Comment #7

lusitaniae commented 4 June 2020 at 09:47

1 file was hidden/shown/deleted

Status	File	Size
hidden	3145557.patch	1.39 KB

Comment #8

Anonymous (not verified) commented 5 June 2020 at 06:57

Have the same error message by updating a out of date module.

User error: Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it. in Drupal\Core\EventSubscriber\RedirectResponseSubscriber->checkRedirectUrl() (line 84 of core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php).

Drupal Version is 8.9.0
Also added the ToolbarController.php patch - for this problem it has'nt fixed it.

Comment #9

lusitaniae commented 5 June 2020 at 07:14

Issue summary:

View changes

Comment #10

barrett commented 5 June 2020 at 11:03

I have been able to replicate the issue.

When maintenance200 is configured to rewrite the maintenance mode status code, users who have active sessions when maintenance mode is enabled and who do not have the permission to bypass maintenance mode, see the reported error when refreshing a page or navigating between pages.

What I cannot account for at this time is why that's the case, since this module doesn't emit a redirect.

Comment #11

barrett commented 5 June 2020 at 15:59

Status:

Active

» Needs review

Status	File	Size
new	issue3145557.patch	1.22 KB

The patch here is working locally for me. Looks like we just need to not trigger on RedirectRequests. I bet a non-30x code set in there just confuses everyone.

Assuming this does work, we should probably exclude 30x response codes from being set in this module. Not sure what a browser would do if you gave it a 30x response code and no Location header.

Comment #12

seppe beelprez commented 10 August 2020 at 09:08

I can confirm that the patch in #11 is working.

Comment #13

barrett commented 11 August 2020 at 10:43

Status:

Needs review

» Fixed

The patch has been merged and released as the 8.x-1.1 release version.

Comment #14

25 August 2020 at 10:44

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it.

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Comment #13

Comment #14

News items

Our community

Documentation

Drupal code base

Governance of community