Loading core/lib/Drupal/Core/EventSubscriber/RedirectLeadingSlashesSubscriber.php +4 −4 Original line number Diff line number Diff line Loading @@ -8,12 +8,12 @@ use Symfony\Component\EventDispatcher\EventSubscriberInterface; /** * Redirects paths starting with multiple slashes to a single slash. * Redirects paths containing successive slashes to those with single slashes. */ class RedirectLeadingSlashesSubscriber implements EventSubscriberInterface { /** * Redirects paths starting with multiple slashes to a single slash. * Redirects paths containing successive slashes to those with single slashes. * * @param \Symfony\Component\HttpKernel\Event\RequestEvent $event * The RequestEvent to process. Loading @@ -28,8 +28,8 @@ public function redirect(RequestEvent $event) { // submits back to the same URI this presents an open redirect // vulnerability. Also, Drupal 7 renders the same page for // http://www.example.org/foo and http://www.example.org////foo. if (strpos($path, '//') === 0) { $path = '/' . ltrim($path, '/'); if (strpos($path, '//') !== FALSE) { $path = preg_replace('/\/+/', '/', $path); $qs = $request->getQueryString(); if ($qs) { $qs = '?' . $qs; Loading core/modules/system/tests/src/Functional/Routing/RouterTest.php +7 −6 Original line number Diff line number Diff line Loading @@ -319,17 +319,18 @@ public function testRouterUninstallInstall() { } /** * Ensure that multiple leading slashes are redirected. * Ensure that multiple successive slashes are redirected. */ public function testLeadingSlashes() { public function testSuccessiveSlashes() { $request = $this->container->get('request_stack')->getCurrentRequest(); $url = $request->getUriForPath('//router_test/test1'); // Test a simple path with successive leading slashes. $url = $request->getUriForPath('//////router_test/test1'); $this->drupalGet($url); $this->assertSession()->addressEquals($request->getUriForPath('/router_test/test1')); // It should not matter how many leading slashes are used and query strings // should be preserved. $url = $request->getUriForPath('/////////////////////////////////////////////////router_test/test1') . '?qs=test'; // Test successive slashes in the middle. $url = $request->getUriForPath('/router_test//////test1') . '?qs=test'; $this->drupalGet($url); $this->assertSession()->addressEquals($request->getUriForPath('/router_test/test1') . '?qs=test'); Loading Loading
core/lib/Drupal/Core/EventSubscriber/RedirectLeadingSlashesSubscriber.php +4 −4 Original line number Diff line number Diff line Loading @@ -8,12 +8,12 @@ use Symfony\Component\EventDispatcher\EventSubscriberInterface; /** * Redirects paths starting with multiple slashes to a single slash. * Redirects paths containing successive slashes to those with single slashes. */ class RedirectLeadingSlashesSubscriber implements EventSubscriberInterface { /** * Redirects paths starting with multiple slashes to a single slash. * Redirects paths containing successive slashes to those with single slashes. * * @param \Symfony\Component\HttpKernel\Event\RequestEvent $event * The RequestEvent to process. Loading @@ -28,8 +28,8 @@ public function redirect(RequestEvent $event) { // submits back to the same URI this presents an open redirect // vulnerability. Also, Drupal 7 renders the same page for // http://www.example.org/foo and http://www.example.org////foo. if (strpos($path, '//') === 0) { $path = '/' . ltrim($path, '/'); if (strpos($path, '//') !== FALSE) { $path = preg_replace('/\/+/', '/', $path); $qs = $request->getQueryString(); if ($qs) { $qs = '?' . $qs; Loading
core/modules/system/tests/src/Functional/Routing/RouterTest.php +7 −6 Original line number Diff line number Diff line Loading @@ -319,17 +319,18 @@ public function testRouterUninstallInstall() { } /** * Ensure that multiple leading slashes are redirected. * Ensure that multiple successive slashes are redirected. */ public function testLeadingSlashes() { public function testSuccessiveSlashes() { $request = $this->container->get('request_stack')->getCurrentRequest(); $url = $request->getUriForPath('//router_test/test1'); // Test a simple path with successive leading slashes. $url = $request->getUriForPath('//////router_test/test1'); $this->drupalGet($url); $this->assertSession()->addressEquals($request->getUriForPath('/router_test/test1')); // It should not matter how many leading slashes are used and query strings // should be preserved. $url = $request->getUriForPath('/////////////////////////////////////////////////router_test/test1') . '?qs=test'; // Test successive slashes in the middle. $url = $request->getUriForPath('/router_test//////test1') . '?qs=test'; $this->drupalGet($url); $this->assertSession()->addressEquals($request->getUriForPath('/router_test/test1') . '?qs=test'); Loading
