We have seen the following behaviour on a site:

1. https://site.com/index.php/user/login <-- Redirects correctly to https://site.com/user/login
2. https://site.com/%69ndex.php/user/login <-- Redirects to https://site.com/index.php/user/login

With scenario 2 above, the index.php is carried around all future parts of the site you click on.

This is getting around rules we have to lock the admin UI down to certain IPs etc. I'm not sure I could make a rule that would cater for all possibilities (keeping in mind I'm not an expert at that sort of thing)

Is this expected behaviour? Would there be example htaccess rules that I could configure to do proper redirects?

Stragely - Happens a lot more in Firefox than Chrome, and is slightly inconsistent. Maybe due to caching?

CommentFileSizeAuthor
#4 clean-urls-redirect.png14.26 KBdanielveza
#4 clean-urls-encoding-3067170-4.patch639 bytesdanielveza

Comments

DanielVeza created an issue. See original summary.

cilefen’s picture

cilefen commented
Related issues: +#2688632: index.php is inserted in menu links
danielveza’s picture

danielveza
he/him
Location Brisbane, AU
commented

Done a bit more digging on this. In the contrib module redirect - I've set the "Enforce clean and canonical URLs" setting. During this and testing it was raised that this is being bypassed when index.php is encoded.

I'm not 100% sure if this should be fixed in the redirect module or Core but personally it seems that this is a core bug with the isCleanUrl function.

I've added a small patch to fix this. I'd be interested in hearing core peoples opinions before taking it any further.

danielveza’s picture

danielveza
he/him
Location Brisbane, AU
commented
Title: Clean URLs broken with URL encoding » Clean URLs broken with URL encoding / RequestHelper::isCleanUrl doesn't work with encoding
StatusFileSize
new clean-urls-encoding-3067170-4.patch639 bytes
new clean-urls-redirect.png14.26 KB

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.

smustgrave’s picture

smustgrave commented
Issue tags: +Bug Smash Initiative, +Needs tests, +Needs issue summary update

This came up as the daily BSI target

Just tested on a 11.4 project and can confirm the issue still exists.

Can we update the summary to the standard template.

Will also need test coverage. I don't see anything directly testing RequestHelper helper but maybe a unit or kernel test would be best.