Skip to content
Snippets Groups Projects
Commit cad7dfbc authored by catch's avatar catch
Browse files

Issue #2852361 by Xano, smustgrave, pwolanin, mpdonadio, wolffereast,...

Issue #2852361 by Xano, smustgrave, pwolanin, mpdonadio, wolffereast, ranjith_kumar_k_u, John Cook, xjm, alexpott: Ignore repeated slashes in the incoming path like Drupal <= 7

(cherry picked from commit 511778a7)
parent 9e5a9424
No related branches found
No related tags found
24 merge requests!8506Draft: Issue #3456536 by ibrahim tameme,!5646Issue #3350972 by nod_: [random test failure]...,!5600Issue #3350972 by nod_: [random test failure]...,!5343Issue #3305066 by quietone, Rename RedirectLeadingSlashesSubscriber,!4350Issue #3307718: Implement xxHash for non-cryptographic use-cases,!3603#ISSUE 3346218 Add a different message on edit comment,!3555Issue #2473873: Views entity operations lack cacheability support, resulting in incorrect dropbuttons,!3494Issue #3327018 by Spokje, longwave, xjm, mondrake: Update PHPStan to 1.9.3 and...,!3410Issue #3340128: UserLoginForm::submitForm has some dead code,!3389Issue #3325184 by Spokje, andypost, xjm, smustgrave: $this->configFactory is...,!3381Issue #3332363: Refactor Claro's menus-and-lists stylesheet,!3307Issue #3326193: CKEditor 5 can grow past the viewport when there is a lot of content,!3236Issue #3332419: Refactor Claro's messages stylesheet,!3231Draft: Issue #3049525 by longwave, fougere, larowlan, kim.pepper, AaronBauman, Wim...,!3212Issue #3294003: Refactor Claro's entity-meta stylesheet,!3194Issue #3330981: Fix PHPStan L1 error "Relying on entity queries to check access by default is deprecated...",!3143Issue #3313342: [PHP 8.1] Deprecated function: strpos(): Passing null to parameter #1 LayoutBuilderUiCacheContext.php on line 28,!3024Issue #3307509: Empty option for views bulk form,!2972Issue #1845004: Replace custom password hashing library with PHP 5.5 password_hash(),!2719Issue #3110137: Remove Classy from core.,!2688Issue #3261452: [PP-1] Remove tracker module from core,!2437Issue #3238257 by hooroomoo, Wim Leers: Fragment link pointing to <textarea>...,!2296Issue #3100732: Allow specifying `meta` data on JSON:API objects,!1626Issue #3256642: Make life better for database drivers that extend another database driver
......@@ -8,12 +8,12 @@
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
/**
* Redirects paths starting with multiple slashes to a single slash.
* Redirects paths containing successive slashes to those with single slashes.
*/
class RedirectLeadingSlashesSubscriber implements EventSubscriberInterface {
/**
* Redirects paths starting with multiple slashes to a single slash.
* Redirects paths containing successive slashes to those with single slashes.
*
* @param \Symfony\Component\HttpKernel\Event\RequestEvent $event
* The RequestEvent to process.
......@@ -28,8 +28,8 @@ public function redirect(RequestEvent $event) {
// submits back to the same URI this presents an open redirect
// vulnerability. Also, Drupal 7 renders the same page for
// http://www.example.org/foo and http://www.example.org////foo.
if (strpos($path, '//') === 0) {
$path = '/' . ltrim($path, '/');
if (strpos($path, '//') !== FALSE) {
$path = preg_replace('/\/+/', '/', $path);
$qs = $request->getQueryString();
if ($qs) {
$qs = '?' . $qs;
......
......@@ -319,17 +319,18 @@ public function testRouterUninstallInstall() {
}
/**
* Ensure that multiple leading slashes are redirected.
* Ensure that multiple successive slashes are redirected.
*/
public function testLeadingSlashes() {
public function testSuccessiveSlashes() {
$request = $this->container->get('request_stack')->getCurrentRequest();
$url = $request->getUriForPath('//router_test/test1');
// Test a simple path with successive leading slashes.
$url = $request->getUriForPath('//////router_test/test1');
$this->drupalGet($url);
$this->assertSession()->addressEquals($request->getUriForPath('/router_test/test1'));
// It should not matter how many leading slashes are used and query strings
// should be preserved.
$url = $request->getUriForPath('/////////////////////////////////////////////////router_test/test1') . '?qs=test';
// Test successive slashes in the middle.
$url = $request->getUriForPath('/router_test//////test1') . '?qs=test';
$this->drupalGet($url);
$this->assertSession()->addressEquals($request->getUriForPath('/router_test/test1') . '?qs=test');
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment