Problem/Motivation

While participating in the Drupalcon sprints here in Barcelona I wanted to be lazy and run Drupal with drush runserver instead of configuring apache or something on my machine. All seemed to be fine and dandy with the installation and all, until I clicked add content, created a node and clicked save where I was given an error message:

Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it.

The same error occurs after creating a content type and probably may places where redirects are involved. The node in question does get created.

I know that this is a bit of a rare use case, but since so many of us Drupal developers rely on Drush it would be great to have it supported.

Proposed resolution

Identify what is causing the issue.

Remaining tasks

Create a patch that resolves the issue.

User interface changes

None

API changes

Beta phase evaluation

Reference: https://www.drupal.org/core/beta-changes
Issue category Bug because Drupal is unusable for people using drush runserver
Issue priority Normal because it only affects developers
Prioritized changes Prioritized because it's a bug fix.

Comments

badrange created an issue. See original summary.

badrange’s picture

Issue summary: View changes
Issue tags: +Barcelona2015
badrange’s picture

Issue summary: View changes
valthebald’s picture

Issue summary: View changes
dpi’s picture

This seems to be killing some of my tests.

https://travis-ci.org/dpi/rng/jobs/107251251

baaluaanand’s picture

I am also getting the same error, while i am trying to redirect to an external URL. While submit a drupal form, i am validating the form and redirecting to an external URL. Please guide me to fix this issue.

Thanks
Baalu

dpi’s picture

@baaluaanand if you are actually redirecting to an external URL then you are not experiencing this bug. See Redirect to external URLs now requires a special object. This bug relates to seeing the error message while trying to redirect to an internal route.

baaluaanand’s picture

Hi

I am not able to use the TrustedRedirectResponse() in form_state->setRedirectUrl() function.

I am trying to redirect to an external URL while submitting a form (Drupal API form), but not able to redirect.

Please help me to fix this issue

dpi’s picture

@ baaluaanand Please look for/post a different issue.

swentel’s picture

Status: Active » Postponed (maintainer needs more info)

This works fine when I run 'drush runserver' so not sure if this is still an issue.

dpi’s picture

Got a feeling it has something to do with the '.' in the URL:

Webserver URL POST-ed to Redirect error?
Runserver http://ubuntu/admin/structure/rng/event_types/manage/node.event/edit FAIL
Runserver http://ubuntu/admin/structure/rng/event_types/manage/nodeevent/edit OK
Runserver http://192.168.99.110/admin/structure/rng/event_types/manage/node.event/edit FAIL
Runserver http://192.168.99.110/admin/structure/rng/event_types/manage/nodeevent_1/edit OK
Runserver http://192.168.99.110:8181/admin/structure/rng/event_types/manage/node.event/edit FAIL
Runserver http://192.168.99.110:8181/admin/structure/rng/event_types/manage/nodeevent/edit OK
Apache http://ubuntu:8080/admin/structure/rng/event_types/manage/node.event/edit OK
Apache http://ubuntu:8080/admin/structure/rng/event_types/manage/nodeevent_2/edit OK
Apache http://192.168.99.110:8080/admin/structure/rng/event_types/manage/node.event/edit OK
Apache http://192.168.99.110:8080/admin/structure/rng/event_types/manage/nodeevent_2/edit OK

All tested from the same server.

FAIL = 'Redirects to external URLs are not allowed by default' shown

From the above URL, they are redirecting to /admin/structure/rng/event_types. Referrer issue?

swentel’s picture

Status: Postponed (maintainer needs more info) » Active

Interesting table, moving to active again.

dpi’s picture

dpi’s picture

I've posted this issue to Drush, I'd appreciate it if you could take a look @swentel.

You can copy the changes in that PR directly to ~/.composer/vendor/drush/drush/commands/runserver/d8-rs-router.php if you dont want to pull the whole repo.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

clemens.tolboom’s picture

We have Drupal 8.2.3 installed in a sub directory with a .htaccess redirect rule (complete bad installation) and get this 'error' from a user create link. Drupal generates the URL without the subdirectory somehow. Not sure how related this is.

XREFs

#2666074: "Redirects to external URLs are not allowed by default" error while using form_state setRedirectUrl function
#2599342: Form state doesn't allow trusted redirects

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

portulaca’s picture

Possibly the same underlying issue:

Redirects being built as http://localhost:8888/drupal8 and not considered safe by RedirectResponseSubscriber
https://www.drupal.org/project/drupal/issues/2612160#comment-11767977

The problem actually originates in the .htaccess redirect itself. The redirect forwards all calls to a subdirectory, but in so doing changes the $base_url to domain.com/subdirectory. LocalRedirectResponse then tries to validate the base_url, using \Drupal\Component\Utility\UrlHelper::externalIsLocal(), which in turn checks whether either the base_url's path is / (that's no longer the case due to redirect) or the first path is equal to expected url (again, it is not, as the /subdirectory is new).

badrange’s picture

Not working with Drupal at the moment (possibly any more), so I'm unfollowing.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev
larowlan’s picture

Status: Active » Postponed (maintainer needs more info)
Issue tags: +Bug Smash Initiative

Is this still an issue?
Is it only related to how drush runserver constructs the base url?

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

Status: Postponed (maintainer needs more info) » Closed (outdated)

7 months ago it was asked if this is still a problem in core and there has been no reply. Therefore, I am closing this as outdated.