Description

500 Internal error when 'destination' url query value is numeric and less than 6 character after any form is submitted. (Currently only tested with "?destination=18" and page "/18" doesn't exists)

Expected

Should render page not found when the page of the value doesn't exists.

Result

500 Internal error.

Steps to reproduce

- add query parameter "?destination=18" to any page that has drupal/custom form.
- successfully submit the form
Video: Imgur

Comments

thihathit created an issue. See original summary.

thihathit’s picture

thihathit CreditAttribution: thihathit commented
Issue summary: View changes
thihathit’s picture

thihathit CreditAttribution: thihathit commented
Version: 8.7.x-dev » 8.6.x-dev
cilefen’s picture

cilefen CreditAttribution: cilefen commented

What is the error?

Chi’s picture

Chi CreditAttribution: Chi commented

What is the error?

The URI 'base:18' is invalid. You must use a valid URI scheme. Use base: for a path, e.g., to a Drupal file that needs the base path. Do not use this for internal paths controlled by Drupal.

This is related to how parse_url() deals with such URLs.

>>> parse_url('base:123456');
=> [
     "scheme" => "base",
     "path" => "123456",
   ]
>>> parse_url('base:12345');
=> [
     "host" => "base",
     "port" => 12345,
   ]
>>>
Chi’s picture

Chi CreditAttribution: Chi commented
Related issues: +#1242472: Invalid type of $_GET variables causes PHP warnings and notices when treated as strings

500 Internal error when 'destination' url query value is numeric and less than 6 character

How did you get such an URL in your address bar? If you typed it manually then it is not a bug per our current policies.
There are many other URLs in Drupal that produce warnings and errors (even fatal).

For instance quickedit/form/1/2/3/4/5 also returns 500 error (PluginNotFoundException).

The approach we are taking for such issues is like follows.

Garbage in, garbage out. Unless there's a security issue involved, this won't fix. Fix the calling code instead.

Which is, in my opinion, totally wrong but it is.

thihathit’s picture

thihathit CreditAttribution: thihathit commented

The thing is i'm writing a custom booking form, the machine names of fields are looks like this.

arrival
departure
origin
destination

All these fields are 'select' fields i.e, options of values are like this array('15'=>'Some city', '18'=>'Some city 2'), etc..

after the submitting to next page i'll get queries in url looks something like this "?arrival=15&departure=30&origin=21&destination=18
So i didn't typed it manually.
As you can see all the query names except 'destination' won't cause this error because the destination query became a conflict with drupal's redirect 'destination' of forms and strangely it only happens when it is numeric and less than 6 length.
Of course it's not security issue, and the easy workaround is not to use 'destination' as field machine name on every forms. But still, it breaks the site so i guess better fix someday as minor bug.
I'll look into codes more detail when I get more time.

Edit
Another solution, If u can't avoid using 'destination' and you just need 'destination' query to pass the data to another page but not to redirect then remove the query via submitForm method, this way $form_state will ignore submit redirection from 'destination' query.

\Drupal::request()->query->remove('destination');

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.