Problem/Motivation
When using URL aliases the user is able to specify invalid filename sequences making the pages unloaded via those URLs.
Proposed resolution
To give the user warnings when saving these filenames. This will not prevent it but notify the user that there will be a future problem with them.
This patch will work on both Mac and Windows filesystems (change from original report).
Remaining tasks
Confirm the problem exists with a currently supported version of Drupal
Apply the patches.
User interface changes
None
API changes
None
Original report by CitizenKane
// Text of original report here.
When running Drupal on Apache (2.2) on Windows, sending Apache a URL with a special windows filename character (\ : * < >) will cause Apache to return a 403 or 404 error code depending on the specific combination of characters used. This can occur in URL aliases or menu routers paths. Apache will return the error before hitting Drupal in most cases, Apache is treating these as paths to files on the filesystem and is thus not allowing them to be passed in.
The path module should deal with these characters in some fashion, by filtering, transliteration or simply not allowing them.
Comment | File | Size | Author |
---|---|---|---|
#11 | Screenshot_23_05_2015.png | 57.93 KB | swetashahi |
#9 | illegal_url_characters-892140-9.patch | 1.87 KB | hkirsman |
#6 | illegal_url_characters-892140-6.patch | 1.48 KB | superspring |
#5 | illegal_url_characters-892140-5.patch | 1.5 KB | superspring |
#3 | Screen Shot 2012-11-17 at 15.51.38.png | 221.16 KB | therobyouknow |
Comments
Comment #1
sun.core CreditAttribution: sun.core commentedSounds like a regular bug to me. Btw, does it also exist in D6? If so, the fix might be backported.
Comment #2
superspring CreditAttribution: superspring commentedThis seems like a minor bug to me. I have attached a patch which gives a warning if any of these characters are used and suggests to the user/admin to check it's usability.
Comment #3
therobyouknow CreditAttribution: therobyouknow commentedCan you give some instructions as to how to reproduce this problem. I attempted to reproduce the problem on Drupal 8 on MAMP today but could not (so presumably it is a host platform specific issue and not Apache?)
Created an article with title containing illegal characters \ : * < >
Set the URL to contain the characters \ : * < >
A screen shot of my attempt shows that Drupal uses the web standard URL/percent encoding % to represent these characters
Comment #4
superspring CreditAttribution: superspring commentedHey @therobyouknow, thanks for your review. I'll write another patch soon for including Mac.
Comment #5
superspring CreditAttribution: superspring commentedHere is a patch which covers both Windows and Mac filesystems.
Comment #5.0
superspring CreditAttribution: superspring commentedApplying Issue Summary Template standards.
Comment #6
superspring CreditAttribution: superspring commentedSame patch with more Drupalesque code.
Comment #6.0
superspring CreditAttribution: superspring commentedRemoving unnecessary comment
Comment #9
hkirsman CreditAttribution: hkirsman as a volunteer commentedIt's been a long time since the last update and meanwhile the core/includes/path.inc file has been removed.
Here's new patch. Also used preg_match_all instead of preg_match to get all the found characters into the message.
Comment #10
hkirsman CreditAttribution: hkirsman as a volunteer commentedComment #11
swetashahi CreditAttribution: swetashahi as a volunteer and at Srijan | A Material+ Company commentedI tested this with simplytest with the latest patch and observed the special characters aren't encoded. Used the special characters in a URL alias as "article:/*abc"
The same characters appear in the URL as below. Also, no warning to user while saving.
Comment #24
quietone CreditAttribution: quietone at PreviousNext commented@CitizenKane. Thank you for reporting this problem. We rely on issue reports like this one to resolve bugs and improve Drupal core.
Is this issue still a problem?
There has been no activity here for 8 years. Has this perhaps been fixed in the meantime?
I asked about this in #bugsmash. mstrelan replied that aliases such as foo:bar are allowed so this may not be fixed. They also pointed out that any fix, if made, should work for all OS's not just Windows.
So, what we need next here is confirmation that the problem still exists. I have added that to the Issue Summary, remaining tasks. And I am setting the status to Postponed (maintainer needs more info) for that information.
Comment #25
quietone CreditAttribution: quietone at PreviousNext commentedIt has been 7 months since asking and there has been no confirmation that this problem exists on a supported version of Drupal.
Therefore, closing as outdated. If this is incorrect reopen the issue, by setting the status to 'Active', and add a comment explaining what still needs to be done.
Thanks!