Problem/Motivation

When using URL aliases the user is able to specify invalid filename sequences making the pages unloaded via those URLs.

Proposed resolution

To give the user warnings when saving these filenames. This will not prevent it but notify the user that there will be a future problem with them.
This patch will work on both Mac and Windows filesystems (change from original report).

Remaining tasks

Confirm the problem exists with a currently supported version of Drupal
Apply the patches.

User interface changes

None

API changes

None

Original report by CitizenKane

// Text of original report here.
When running Drupal on Apache (2.2) on Windows, sending Apache a URL with a special windows filename character (\ : * < >) will cause Apache to return a 403 or 404 error code depending on the specific combination of characters used. This can occur in URL aliases or menu routers paths. Apache will return the error before hitting Drupal in most cases, Apache is treating these as paths to files on the filesystem and is thus not allowing them to be passed in.

The path module should deal with these characters in some fashion, by filtering, transliteration or simply not allowing them.

CommentFileSizeAuthor
#11 Screenshot_23_05_2015.png57.93 KBswetashahi
#9 illegal_url_characters-892140-9.patch1.87 KBhkirsman
#6 illegal_url_characters-892140-6.patch1.48 KBsuperspring
#5 illegal_url_characters-892140-5.patch1.5 KBsuperspring
#3 Screen Shot 2012-11-17 at 15.51.38.png221.16 KBtherobyouknow
#2 illegal_url_characters-892140-2.patch1.33 KBsuperspring
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

sun.core’s picture

sun.core CreditAttribution: sun.core commented
Priority: Major » Normal
Issue tags: +Windows

Sounds like a regular bug to me. Btw, does it also exist in D6? If so, the fix might be backported.

superspring’s picture

superspring CreditAttribution: superspring commented
Version: 7.x-dev » 8.x-dev
Assigned: CitizenKane » Unassigned
Priority: Normal » Minor
Status: Active » Needs review
FileSize
illegal_url_characters-892140-2.patch1.33 KB

This seems like a minor bug to me. I have attached a patch which gives a warning if any of these characters are used and suggests to the user/admin to check it's usability.

therobyouknow’s picture

therobyouknow CreditAttribution: therobyouknow commented
FileSize
Screen Shot 2012-11-17 at 15.51.38.png221.16 KB

Can you give some instructions as to how to reproduce this problem. I attempted to reproduce the problem on Drupal 8 on MAMP today but could not (so presumably it is a host platform specific issue and not Apache?)

Created an article with title containing illegal characters \ : * < >
Set the URL to contain the characters \ : * < >

A screen shot of my attempt shows that Drupal uses the web standard URL/percent encoding % to represent these characters
Screen Shot 2012-11-17 at 15.51.38.png

superspring’s picture

superspring CreditAttribution: superspring commented

Hey @therobyouknow, thanks for your review. I'll write another patch soon for including Mac.

superspring’s picture

superspring CreditAttribution: superspring commented
FileSize
illegal_url_characters-892140-5.patch1.5 KB

Here is a patch which covers both Windows and Mac filesystems.

superspring’s picture

superspring CreditAttribution: superspring commented
Issue summary: View changes

Applying Issue Summary Template standards.

superspring’s picture

superspring CreditAttribution: superspring commented
FileSize
illegal_url_characters-892140-6.patch1.48 KB

Same patch with more Drupalesque code.

superspring’s picture

superspring CreditAttribution: superspring commented
Issue summary: View changes

Removing unnecessary comment

alansaviolobo queued 6: illegal_url_characters-892140-6.patch for re-testing.

Status: Needs review » Needs work

The last submitted patch, 6: illegal_url_characters-892140-6.patch, failed testing.

hkirsman’s picture

hkirsman CreditAttribution: hkirsman as a volunteer commented
Issue summary: View changes
FileSize
illegal_url_characters-892140-9.patch1.87 KB

It's been a long time since the last update and meanwhile the core/includes/path.inc file has been removed.

Here's new patch. Also used preg_match_all instead of preg_match to get all the found characters into the message.

hkirsman’s picture

hkirsman CreditAttribution: hkirsman as a volunteer commented
Status: Needs work » Needs review
swetashahi’s picture

swetashahi CreditAttribution: swetashahi as a volunteer and at Srijan | A Material+ Company commented
Status: Needs review » Needs work
FileSize
Screenshot_23_05_2015.png57.93 KB

I tested this with simplytest with the latest patch and observed the special characters aren't encoded. Used the special characters in a URL alias as "article:/*abc"

The same characters appear in the URL as below. Also, no warning to user while saving.

error_screenshot

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone CreditAttribution: quietone at PreviousNext commented
Issue summary: View changes
Status: Needs work » Postponed (maintainer needs more info)
Issue tags: +Bug Smash Initiative

@CitizenKane. Thank you for reporting this problem. We rely on issue reports like this one to resolve bugs and improve Drupal core.

Is this issue still a problem?

There has been no activity here for 8 years. Has this perhaps been fixed in the meantime?

I asked about this in #bugsmash. mstrelan replied that aliases such as foo:bar are allowed so this may not be fixed. They also pointed out that any fix, if made, should work for all OS's not just Windows.

So, what we need next here is confirmation that the problem still exists. I have added that to the Issue Summary, remaining tasks. And I am setting the status to Postponed (maintainer needs more info) for that information.

quietone’s picture

quietone CreditAttribution: quietone at PreviousNext commented
Status: Postponed (maintainer needs more info) » Closed (outdated)

It has been 7 months since asking and there has been no confirmation that this problem exists on a supported version of Drupal.

Therefore, closing as outdated. If this is incorrect reopen the issue, by setting the status to 'Active', and add a comment explaining what still needs to be done.

Thanks!