Issue #2423579 by mpdonadio, xjm, heilop, Wim Leers, webchick:...

Issue #2423579 by mpdonadio, xjm, heilop, Wim Leers, webchick: Url::fromUrl('user-path:/') should throw an exception when a path component without a slash is given

core/lib/Drupal/Core/Url.php

@@ -353,6 +353,9 @@ protected static function fromEntityUri(array $uri_parts, array $options, $uri)
    *
    * @return \Drupal\Core\Url
    *   A new Url object for a 'user-path:' URI.
+   *
+   * @throws \InvalidArgumentException
+   *   Thrown when the URI's path component doesn't have a leading slash.
    */
   protected static function fromUserPathUri(array $uri_parts, array $options) {
     // Both PathValidator::getUrlIfValidWithoutAccessCheck() and 'base:' URIs
@@ -366,6 +369,9 @@ protected static function fromUserPathUri(array $uri_parts, array $options) {
       $uri_parts['path'] = '<front>';
     }
     else {
+      if ($uri_parts['path'][0] !== '/') {
+        throw new \InvalidArgumentException(String::format('The user-path path component "@path" is invalid. Its path component must have a leading slash, e.g. user-path:/foo.', ['@path' => $uri_parts['path']]));
+      }
       // Remove the leading slash.
       $uri_parts['path'] = substr($uri_parts['path'], 1);
     }

core/modules/link/src/Plugin/Field/FieldWidget/LinkWidget.php

@@ -154,6 +154,7 @@ public static function validateUriElement($element, FormStateInterface $form_sta
     //   https://www.drupal.org/node/2421941
     if (parse_url($uri, PHP_URL_SCHEME) === 'user-path' && !in_array($element['#value'][0], ['/', '?', '#'], TRUE) && substr($element['#value'], 0, 7) !== '<front>') {
       $form_state->setError($element, t('Manually entered paths should start with /, ? or #.'));
+      return;
     }
 
     // If the URI is empty or not well-formed, the link field type's validation

core/tests/Drupal/Tests/Core/UrlTest.php

@@ -636,6 +636,78 @@ public function providerTestToUriStringForUserPath() {
     ];
   }
 
+  /**
+   * Tests the fromUri() method with a valid user-path: URI.
+   *
+   * @covers ::fromUri
+   * @dataProvider providerFromValidUserPathUri
+   */
+  public function testFromValidUserPathUri($path) {
+    $url = Url::fromUri('user-path:' . $path);
+    $this->assertInstanceOf('Drupal\Core\Url', $url);
+  }
+
+  /**
+   * Data provider for testFromValidUserPathUri().
+   */
+  public function providerFromValidUserPathUri() {
+    return [
+      // Normal paths with a leading slash.
+      ['/kittens'],
+      ['/kittens/bengal'],
+      // Fragments with and without leading slashes.
+      ['/#about-our-kittens'],
+      ['/kittens#feeding'],
+      ['#feeding'],
+      // Query strings with and without leading slashes.
+      ['/kittens?page=1000'],
+      ['/?page=1000'],
+      ['?page=1000'],
+      // Paths with various token formats but no leading slash.
+      ['/[duckies]'],
+      ['/%bunnies'],
+      ['/{{ puppies }}'],
+      // Disallowed characters in the authority (host name) that are valid
+      // elsewhere in the path.
+      ['/(:;2&+h^'],
+      ['/AKI@&hO@'],
+    ];
+  }
+
+  /**
+   * Tests the fromUri() method with an invalid user-path: URI.
+   *
+   * @covers ::fromUri
+   * @expectedException \InvalidArgumentException
+   * @dataProvider providerFromInvalidUserPathUri
+   */
+  public function testFromInvalidUserPathUri($path) {
+    Url::fromUri('user-path:' . $path);
+  }
+
+  /**
+   * Data provider for testFromInvalidUserPathUri().
+   */
+  public function providerFromInvalidUserPathUri() {
+    return [
+      // Normal paths without a leading slash.
+      ['kittens'],
+      ['kittens/bengal'],
+      // Path without a leading slash containing a fragment.
+      ['kittens#feeding'],
+      // Path without a leading slash containing a query string.
+      ['kittens?page=1000'],
+      // Paths with various token formats but no leading slash.
+      ['[duckies]'],
+      ['%bunnies'],
+      ['{{ puppies }}'],
+      // Disallowed characters in the authority (host name) that are valid
+      // elsewhere in the path.
+      ['(:;2&+h^'],
+      ['AKI@&hO@'],
+    ];
+  }
+
   /**
    * Tests the toUriString() method with route: URIs.
    *