Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Description
500 Internal error when 'destination' url query value is numeric and less than 6 character after any form is submitted. (Currently only tested with "?destination=18" and page "/18" doesn't exists)
Expected
Should render page not found when the page of the value doesn't exists.
Result
500 Internal error.
Steps to reproduce
- add query parameter "?destination=18" to any page that has drupal/custom form.
- successfully submit the form
Video: Imgur
Comments
Comment #2
thihathit CreditAttribution: thihathit commentedComment #3
thihathit CreditAttribution: thihathit commentedComment #4
cilefen CreditAttribution: cilefen commentedWhat is the error?
Comment #5
Chi CreditAttribution: Chi commentedThe URI 'base:18' is invalid. You must use a valid URI scheme. Use base: for a path, e.g., to a Drupal file that needs the base path. Do not use this for internal paths controlled by Drupal.
This is related to how parse_url() deals with such URLs.
Comment #6
Chi CreditAttribution: Chi commentedHow did you get such an URL in your address bar? If you typed it manually then it is not a bug per our current policies.
There are many other URLs in Drupal that produce warnings and errors (even fatal).
For instance quickedit/form/1/2/3/4/5 also returns 500 error (PluginNotFoundException).
The approach we are taking for such issues is like follows.
Which is, in my opinion, totally wrong but it is.
Comment #7
thihathit CreditAttribution: thihathit commentedThe thing is i'm writing a custom booking form, the machine names of fields are looks like this.
arrival
departure
origin
destination
All these fields are 'select' fields i.e, options of values are like this array('15'=>'Some city', '18'=>'Some city 2'), etc..
after the submitting to next page i'll get queries in url looks something like this "?arrival=15&departure=30&origin=21&destination=18
So i didn't typed it manually.
As you can see all the query names except 'destination' won't cause this error because the destination query became a conflict with drupal's redirect 'destination' of forms and strangely it only happens when it is numeric and less than 6 length.
Of course it's not security issue, and the easy workaround is not to use 'destination' as field machine name on every forms. But still, it breaks the site so i guess better fix someday as minor bug.
I'll look into codes more detail when I get more time.
Edit
Another solution, If u can't avoid using 'destination' and you just need 'destination' query to pass the data to another page but not to redirect then remove the query via submitForm method, this way $form_state will ignore submit redirection from 'destination' query.
\Drupal::request()->query->remove('destination');