Problem/Motivation

#2512452: Confirm form cancel button can lead to external domain added an exception when an external URI is passed to UrlHelper::fromInternalUri().

This inadvertently fixed the security issue with #2507831: Harden redirect responses to make external URIs opt in (was SA-CORE-2015-002 foward-port).

However it means that instead of the security issue, end-users can still trigger exceptions on a working site. This is not good and we should catch the exception in FieldUI::getNextDestination() the same as we do in ConfirmFormHelper.

Proposed resolution

Apply the same pattern used in ConfirmFormHelper to FieldUi::getNextDestination()

Additionally, in all places where we use UrlHelper::fromInternalUri() we should either:

1. Be calling it on validated user input (a path alias, a path for a menu link)
OR
2. Catch the exception and silently produce an empty or default URI instead, or if not silently add a trigger_error() to log what is likely to be an attempted open redirect attack.

Remaining tasks

User interface changes

API changes

Not as such, but #2512452: Confirm form cancel button can lead to external domain arguably changed the API by throwing an exception in more cases and core needs updating for that as well as possibly documentation on UrlHelper::fromInternalUri().

Data model changes

Comments

cilefen’s picture

cilefen commented
Version: 8.0.x-dev » 8.1.x-dev
Issue summary: View changes
unstatu’s picture

unstatu commented

I'm not very sure we need to change the code here because the FieldUI::getNextDestination method is already forcing the path to be correct:

$next_destination = Url::fromUserInput('/' . $options['path'], $options); //The concatenated '/' enforces the path to be correct
unstatu’s picture

unstatu commented
Status: Active » Needs review
unstatu’s picture

unstatu commented
Issue tags: +DrupalCampES
xjm’s picture

xjm
she/her
Primary language English
commented
Component: base system » routing system

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

dawehner’s picture

dawehner
Primary language German
commented

Just some random idea. Instead of throwing the exception we could also encode the error into the resulting URL object.

This would then look something like this:

class InvalidUrl extends Url {
  protected $exception;
  protected $invalidUri;

  public function toString() {
    return "Invalid URI: {$this->invalidUri}";
  }

}

This allows callers to still check for errors, but make the API save against potential missing catching.

effulgentsia’s picture

effulgentsia commented
Issue tags: +Triaged core major

Discussed with @xjm, @catch, @alexpott, and @Cottser on a triage call, and we agreed this is a Major bug, per https://www.drupal.org/core/issue-priority#major-bug:

Trigger a PHP error through the user interface

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Issue tags: +Novice, +Bug Smash Initiative

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
commented
Version: 9.5.x-dev » 10.1.x-dev
Status: Needs review » Active

No patch

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

sayco’s picture

sayco commented

First of all, I think the ticket needs to be updated with the information that the fromInternalUri is now part of the Url class, not the UrlHelper.

The other thing about this (before we apply any changes in the code) is that the implementation of the function is wrongly designed. It breaks the SRP, as it’s not only responsible for creating the internal URI, but also for validation against the external URI. I think this is the wrong approach.

I know it requires a lot of changes, but the fromInternalUri should be responsible for building the internal URI from whatever is given, or it should return a null value or raise an exception. Whatever is using the function should be responsible for handling the exception or null value, checking what the given value is, and taking appropriate actions depending on the outcome. It shouldn’t be the responsibility of the fromInternalUri method to know about other dependencies and all the use cases.

We also should avoid adding any silent caches in the code. At the very least, logging with debug level should be added. Otherwise, it’s hard to guess that anything unexpected happened in the code.

xjm credited alexpott.

xjm credited catch.

xjm credited star-szr.

xjm’s picture

xjm
she/her
Primary language English
commented

Adding credits for the triage from #8.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.