#2512452: Confirm form cancel button can lead to external domain β added an exception when an external URI is passed to UrlHelper::fromInternalUri().
This inadvertently fixed the security issue with #2507831: Harden redirect responses to make external URIs opt in (was SA-CORE-2015-002 foward-port) β .
However it means that instead of the security issue, end-users can still trigger exceptions on a working site. This is not good and we should catch the exception in FieldUI::getNextDestination() the same as we do in ConfirmFormHelper.
Apply the same pattern used in ConfirmFormHelper to FieldUi::getNextDestination()
Additionally, in all places where we use UrlHelper::fromInternalUri() we should either:
1. Be calling it on validated user input (a path alias, a path for a menu link)
OR
2. Catch the exception and silently produce an empty or default URI instead, or if not silently add a trigger_error() to log what is likely to be an attempted open redirect attack.
Not as such, but #2512452: Confirm form cancel button can lead to external domain β arguably changed the API by throwing an exception in more cases and core needs updating for that as well as possibly documentation on UrlHelper::fromInternalUri().
Active
10.1 β¨
There is consensus among core maintainers that this is a major issue. Only core committers should add this tag.
It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.