Add validation to reject invalid characters (?&#) in patterns [#2681299]

Patterns cannot support query strings nor fragments, and there have been several reports filed that could have been prevented if we had extra validation to check for query string and fragment characters.

We should add an additional validation for any characters that are set to be removed or replaced with a separator in the Pathauto settings.

Comment	File	Size	Author
#19	add_validation_to-2681299-19.patch	630 bytes	peschmae
#19	8.x-1.x: PHP 5.5 & MySQL 5.5, D8.2 44 pass PHP 7 & MySQL 5.5, D8.2 44 pass
#18	interdiff-18.txt	2.02 KB	dermario
#18	add_validation_to-2681299-18.patch	3.27 KB	dermario
#18	7.x-1.x: PHP 5.3 & MySQL 5.5, D7 29 pass PHP 5.6 & MySQL 5.5, D7 29 pass
#16	url-alias-invalid.png	39.99 KB	dermario
#15	interdiff-2681299-13-15.patch	654 bytes	peschmae
#15
#15	add_validation_to-2681299-15.patch	3.03 KB	peschmae
#15	7.x-1.x: PHP 5.3 & MySQL 5.5, D7 29 pass PHP 5.6 & MySQL 5.5, D7 29 pass
#13	add_validation_to-2681299-13.patch	3.02 KB	peschmae
#13	7.x-1.x: PHP 5.3 & MySQL 5.5, D7 26 pass, 3 fail PHP 5.6 & MySQL 5.5, D7 29 pass
#5	2681299-error_message.png	49.19 KB	peschmae
#5	add_validation_to-2681299-4.patch	2.93 KB	peschmae
#5	8.x-1.x: PHP 5.5 & MySQL 5.5, D8.2 45 pass PHP 7 & MySQL 5.5, D8.2 45 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

4 March 2016 at 18:04

Dave Reid created an issue. See original summary.

Comment #2

Dave Reid

he/him

English

Nebraska USA

CreditAttribution: Dave Reid as a volunteer and at Lullabot commented 4 March 2016 at 18:04

Comment #3

Dave Reid

he/him

English

Nebraska USA

CreditAttribution: Dave Reid as a volunteer and at Lullabot commented 4 March 2016 at 18:06

Issue summary:

View changes

Comment #4

peschmae CreditAttribution: peschmae at Unic commented 16 March 2016 at 12:11

Assigned:

Unassigned

» peschmae

I'll take a shot at this.

Comment #5

peschmae CreditAttribution: peschmae at Unic commented 16 March 2016 at 12:36

Assigned:	peschmae	» Unassigned
Status:	Active	» Needs review

File	Size
add_validation_to-2681299-4.patch	2.93 KB
8.x-1.x: PHP 5.5 & MySQL 5.5, D8.2 45 pass PHP 7 & MySQL 5.5, D8.2 45 pass
2681299-error_message.png	49.19 KB

I've attached a patch file, which implements a basic pattern validation, against the mentioned characters (?#&).

The validation can easily be extended to check for further characters which are replaced in URLs anyways (e.g. !), but I can also add a second validation to check against those characters.

I've also added a assertion to PathautoUiTest::testPatternsValidation(), but currently only check for #, since I just wanted to test the basic functionality. I could also expand it to check against all invalid characters, but since this is my first contribution to Drupal I was unsure if that is needed/wanted.

I basically tried to mimic the behaviour of "token_element_validate", but was unsure if I should add the newly created "pathauto_pattern_validate" to "after_build" as well.

Comment #6

Berdir

German

Switzerland

CreditAttribution: Berdir at MD Systems GmbH commented 16 March 2016 at 14:10

Status:

Needs review

» Needs work

+++ b/pathauto.module
@@ -153,3 +154,29 @@ function pathauto_entity_base_field_info_alter(&$fields, EntityTypeInterface $en
+    $invalid_characters = ['#', '?', '&'];

I think the idea is to not hardcode those settings but get them from the characters that we replace.

You can get the list from \Drupal\pathauto\AliasCleaner::getPunctuationCharacters

Comment #7

peschmae CreditAttribution: peschmae at Unic commented 16 March 2016 at 15:34

I agree, that all the characters listed in \Drupal\pathauto\AliasCleaner::getPunctuationCharacters don't belong into an entity-alias and I would prefer a more generic list than the one I've hardcoded as well, but in my opinion the list in getPunctuationCharacters is too broad to apply them to the whole pattern, since it contains things like '/','.' and '-' which are quite common in URLs.

The following example is taken from a comment in AliasCleaner:cleanAlias

[token1]/[token2]-[token3]/[token4]

should we really disallow the hypen there?
I think for archives/dates this is a quite common use-case.

Additionally, right now the list from getPunctuationCharacters is currently only applied to the token-values and not the whole pattern (cleanTokenValues vs cleanAlias), accordingly validating against the whole list of characters that get replaced, would change the behaviour of the module quite substantially.

Comment #8

Berdir

German

Switzerland

CreditAttribution: Berdir at MD Systems GmbH commented 16 March 2016 at 15:44

you are right, that list alone isn't enough. If you check how it is used in \Drupal\pathauto\AliasCleaner::cleanString, we only want those that are either set to REMOVE or REPLACE. So instead of the function, you could actually just get the list directly from the configuration, if it's not in there then we also don't do anything.

Comment #9

Berdir

German

Switzerland

CreditAttribution: Berdir at MD Systems GmbH commented 16 March 2016 at 15:46

Assigned:	Unassigned	» Dave Reid
Status:	Needs work	» Needs review

And of course, the default configuration is actually incomplete right now because the only one in there is hyphen it seems?

So yeah, maybe its easier to just hardcode the view that we really care about.

Lets see what @davereid things about this.

Comment #10

2 April 2016 at 10:50

Berdir committed 4376750 on 8.x-1.x authored by peschmae

Issue #2681299 by peschmae: Add validation to reject invalid characters...

Comment #11

Berdir

German

Switzerland

CreditAttribution: Berdir at MD Systems GmbH commented 2 April 2016 at 10:50

Version:	8.x-1.x-dev	» 7.x-1.x-dev
Status:	Needs review	» Patch (to be ported)

Lets do this. Committed.

Comment #12

peschmae CreditAttribution: peschmae at Unic commented 5 April 2016 at 07:31

Assigned:

Dave Reid

» peschmae

I'll take a shot, at porting this to Drupal7

Comment #13

peschmae CreditAttribution: peschmae at Unic commented 7 April 2016 at 11:39

Assigned:	peschmae	» Unassigned
Status:	Patch (to be ported)	» Needs review

File	Size
add_validation_to-2681299-13.patch	3.02 KB
7.x-1.x: PHP 5.3 & MySQL 5.5, D7 26 pass, 3 fail PHP 5.6 & MySQL 5.5, D7 29 pass

I've provided a backport to Drupal 7 for this issue.

Since there was already a validation function in pathauto.admin.inc (_pathauto_validate_numeric_element() ), I've based the implementation on that instead of mimicking the behaviour of 'token_element_validate' which I did for Drupal 8.
I'm not sure about the function naming, especially when to prefix it with an underscore, but copied that from _pathauto_validate_numeric_element

I've also added an assertion to PathautoFunctionalTestCase::testPatternsValidation() but again only checked for '#' and not all three characters.

Comment #14

7 April 2016 at 11:47

Status:

Needs review

» Needs work

The last submitted patch, 13: add_validation_to-2681299-13.patch, failed testing.

Comment #15

peschmae CreditAttribution: peschmae at Unic commented 7 April 2016 at 12:50

Status:

Needs work

» Needs review

File	Size
add_validation_to-2681299-15.patch	3.03 KB
7.x-1.x: PHP 5.3 & MySQL 5.5, D7 29 pass PHP 5.6 & MySQL 5.5, D7 29 pass
interdiff-2681299-13-15.patch	654 bytes

I've used the php5.4 array short syntax, which resulted in the failure of the test on PHP 5.3, this patch fixes it.

Comment #16

dermario

German

Zürich

CreditAttribution: dermario as a volunteer and at Unic commented 7 April 2016 at 21:56

Issue summary:	View changes
Status:	Needs review	» Reviewed & tested by the community

File	Size
url-alias-invalid.png	39.99 KB

This patch does exactly what it should do - its an exact backport from the d8 variant. I reviewed the code, and tested it on my local machine:

The test are fine too.

Comment #17

Dave Reid

he/him

English

Nebraska USA

CreditAttribution: Dave Reid as a volunteer and at Lullabot commented 7 April 2016 at 21:59

Status:

Reviewed & tested by the community

» Needs work

+++ b/pathauto.admin.inc
@@ -224,6 +224,33 @@ function _pathauto_validate_numeric_element($element, &$form_state) {
+function _pathauto_validate_invalid_characters($element, &$form_state) {

Let's keep this close to the D8 version, so name this "pathauto_pattern_validate"


<code>
+++ b/pathauto.admin.inc
@@ -37,7 +37,7 @@ function pathauto_patterns_form($form, $form_state) {
-      '#element_validate' => array('token_element_validate'),
+      '#element_validate' => array('token_element_validate', '_pathauto_validate_invalid_characters'),
       '#after_build' => array('token_element_validate'),

@@ -55,7 +55,7 @@ function pathauto_patterns_form($form, $form_state) {
-          '#element_validate' => array('token_element_validate'),
+          '#element_validate' => array('token_element_validate', '_pathauto_validate_invalid_characters'),
           '#after_build' => array('token_element_validate'),

It looks like the original patch also missed adding this validation to when the form loaded. We'll need to do this as well.

Comment #18

dermario

German

Zürich

CreditAttribution: dermario as a volunteer and at Unic commented 7 April 2016 at 22:59

Status:

Needs work

» Needs review

File	Size
add_validation_to-2681299-18.patch	3.27 KB
7.x-1.x: PHP 5.3 & MySQL 5.5, D7 29 pass PHP 5.6 & MySQL 5.5, D7 29 pass
interdiff-18.txt	2.02 KB

Ok, the function naming of @peschmae was consistent to the existing _pathauto_validate_numeric_element(), thats why i didn't mentioned that. I renamed that function to pathauto_pattern_validate() and added it (with 1 small modification) to #after_build. Now the form gets validated when the form is loaded.