Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Here is a bug I've found when we were using Secure Pages, but it could potentially break when CAS Server is used with any module that calls hook_drupal_goto_alter().
Basically drupal_goto() should be used for internal links only, as per the documentation:
Sends the user to a different Drupal page.
This issues an on-site HTTP redirect.
However in cas_server drupal_goto() is being used to redirect the user to the external service. On my site this meant the https was being turned into http by securepages (correctly), which broke logins because the connecting service required https.
The fix is easy, just replace the drupal_goto() with header('Location: blah');
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | cas-cas_server_drupal_goto-2022229.patch | 517 bytes | Rob230 |
Comments
Comment #1
Rob230 CreditAttribution: Rob230 commentedThis patch fixes it for cas_server.module.
I believe the same mistake is probably made in cas.module, but I don't use that part of the module so I haven't done anything for it.
Comment #3
Rob230 CreditAttribution: Rob230 commented#1: cas-cas_server_drupal_goto-2022229.patch queued for re-testing.
Comment #4
bfroehle CreditAttribution: bfroehle commentedSorry, I'm a little confused here.
drupal_gotocan certainly be used for external pages. It sounds like securepages is being weirdly overzealous in this case --- perhaps you should report the bug to them?Comment #5
Rob230 CreditAttribution: Rob230 commentedHmm, I originally thought this was a bug with securepages too, but I changed my mind when I saw that the manual said this for drupal_goto:
The manual could be wrong or outdated though. drupal_goto can certainly be used for external URLs, I just wasn't sure whether it should (or why you would need it).
The code for drupal_goto seems geared towards Drupal paths. It changes the redirect to
$_GET['destination']if necessary and it lets other modules modify the path before it turns it into a full URL, neither of which would be desirable if you were trying to send them to an external page in my opinion.But perhaps you are right and securepages should be detecting if the URL is external and ignoring it. #1962854: Do not alter external URL seems to do exactly that.
Comment #6
Rob230 CreditAttribution: Rob230 commentedThe bug is indeed with Secure Pages, and I got the documentation for drupal_goto changed to be more clear. Thanks for your help.
Comment #6.0
Rob230 CreditAttribution: Rob230 commentedcorrect link URL