Ensure all callers of UrlHelper::fromInternalUri() either operate on validated user input, or catch InvalidArgumentException

Created on 2 July 2015, over 9 years ago
Updated 12 February 2023, almost 2 years ago

Problem/Motivation

#2512452: Confirm form cancel button can lead to external domain β†’ added an exception when an external URI is passed to UrlHelper::fromInternalUri().

This inadvertently fixed the security issue with #2507831: Harden redirect responses to make external URIs opt in (was SA-CORE-2015-002 foward-port) β†’ .

However it means that instead of the security issue, end-users can still trigger exceptions on a working site. This is not good and we should catch the exception in FieldUI::getNextDestination() the same as we do in ConfirmFormHelper.

Proposed resolution

Apply the same pattern used in ConfirmFormHelper to FieldUi::getNextDestination()

Additionally, in all places where we use UrlHelper::fromInternalUri() we should either:

1. Be calling it on validated user input (a path alias, a path for a menu link)
OR
2. Catch the exception and silently produce an empty or default URI instead, or if not silently add a trigger_error() to log what is likely to be an attempted open redirect attack.

Remaining tasks

User interface changes

API changes

Not as such, but #2512452: Confirm form cancel button can lead to external domain β†’ arguably changed the API by throwing an exception in more cases and core needs updating for that as well as possibly documentation on UrlHelper::fromInternalUri().

Data model changes

πŸ› Bug report
Status

Active

Version

10.1 ✨

Component
RoutingΒ  β†’

Last updated 3 days ago

Created by

πŸ‡¬πŸ‡§United Kingdom catch

Live updates comments and jobs are added and updated live.
  • Triaged core major

    There is consensus among core maintainers that this is a major issue. Only core committers should add this tag.

  • Novice

    It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024