After upgrade to Drupal 8.9.1, https://www.mysite.com/saml_login?RetrnTo=/home started giving temporarily unavailable error.

Error Description:
InvalidArgumentException: A path was passed when a fully qualified domain was expected. in Drupal\Component\Utility\UrlHelper::externalIsLocal() (line 262 of /var/www/html/core/lib/Drupal/Component/Utility/UrlHelper.php).

CommentFileSizeAuthor
#3 3155565-guard-malformed-returnto.patch729 bytestmwagner

Comments

Rajeshreeputra created an issue. See original summary.

kanchamk’s picture

kanchamk commented

Append your full URL to "ReturnTo" query. you can get the site url as given below.

$host= \Drupal::request()->getSchemeAndHttpHost();

So full url should be https://www.mysite.com/saml_login?RetrnTo=https://www.mysite.com/home

tmwagner’s picture

tmwagner commented
Version: 8.x-3.2 » 4.0.1
Assigned: Unassigned » tmwagner
Status: Active » Needs review
Issue tags: +Needs review
StatusFileSize
new 3155565-guard-malformed-returnto.patch729 bytes

Comprehensive patch to fix InvalidArgumentException for malformed ReturnTo values

I've encountered the same issue and created a patch that fixes both the relative path case reported here AND malformed URLs (e.g., http:/example.com, http:///path, http://).

Root Cause:

The issue occurs at line 156 in SimplesamlphpAuthController.php:

if ($this->pathValidator->isValid($return_to) && UrlHelper::externalIsLocal($return_to, $base_url))

Both pathValidator->isValid() and UrlHelper::externalIsLocal() throw InvalidArgumentException when given invalid input:
- Relative paths like /home (reported in this issue)
- Malformed URLs like http:/example.com (missing slash)
- Other invalid formats where parse_url() returns FALSE

Solution:

Add UrlHelper::isValid($return_to, TRUE) as the first condition:

if (UrlHelper::isValid($return_to, TRUE) && $this->pathValidator->isValid($return_to) && UrlHelper::externalIsLocal($return_to, $base_url))

This works because:
- UrlHelper::isValid() returns FALSE for invalid input without throwing
- PHP's && short-circuits, preventing the throwing methods from executing
- No new imports needed — UrlHelper is already imported

Tested on Drupal 10.x with simplesamlphp_auth 4.0.1 and 4.1.0. Bug exists in both versions.

Patch attached.