Ensure all callers of UrlHelper::fromInternalUri() either operate on validated user input, or catch InvalidArgumentException

Open on Drupal.org →

Created on 2 July 2015, over 9 years ago

Updated 12 February 2023, almost 2 years ago

Problem/Motivation

#2512452: Confirm form cancel button can lead to external domain → added an exception when an external URI is passed to UrlHelper::fromInternalUri().

This inadvertently fixed the security issue with #2507831: Harden redirect responses to make external URIs opt in (was SA-CORE-2015-002 foward-port) → .

However it means that instead of the security issue, end-users can still trigger exceptions on a working site. This is not good and we should catch the exception in FieldUI::getNextDestination() the same as we do in ConfirmFormHelper.

Proposed resolution

Apply the same pattern used in ConfirmFormHelper to FieldUi::getNextDestination()

Additionally, in all places where we use UrlHelper::fromInternalUri() we should either:

1. Be calling it on validated user input (a path alias, a path for a menu link)
OR
2. Catch the exception and silently produce an empty or default URI instead, or if not silently add a trigger_error() to log what is likely to be an attempted open redirect attack.

Remaining tasks

User interface changes

API changes

Not as such, but #2512452: Confirm form cancel button can lead to external domain → arguably changed the API by throwing an exception in more cases and core needs updating for that as well as possibly documentation on UrlHelper::fromInternalUri().

Data model changes

🐛 Bug report

Status

Active

Version

10.1 ✨

Component

Last updated 6 minutes ago

Maintained by
🇺🇸United States @tim.plunkett

Created by

🇬🇧United Kingdom catch

Live updates comments and jobs are added and updated live.

DrupalCampES

Triaged core major
There is consensus among core maintainers that this is a major issue. Only core committers should add this tag.

Novice
It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

Bug Smash Initiative

Incomplete comments

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 2 years ago →
🇺🇸United States tim.plunkett Philadelphia
No patch
Comment 3 days ago →
🇵🇱Poland sayco Toruń
First of all, I think the ticket needs to be updated with the information that the fromInternalUri is now part of the Url class, not the UrlHelper.

The other thing about this (before we apply any changes in the code) is that the implementation of the function is wrongly designed. It breaks the SRP, as it’s not only responsible for creating the internal URI, but also for validation against the external URI. I think this is the wrong approach.

I know it requires a lot of changes, but the fromInternalUri should be responsible for building the internal URI from whatever is given, or it should return a null value or raise an exception. Whatever is using the function should be responsible for handling the exception or null value, checking what the given value is, and taking appropriate actions depending on the outcome. It shouldn’t be the responsibility of the fromInternalUri method to know about other dependencies and all the use cases.

We also should avoid adding any silent caches in the code. At the very least, logging with debug level should be added. Otherwise, it’s hard to guess that anything unexpected happened in the code.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024