Contrib.social

redirect() method always sets absolute to TRUE, so absolute TRUE option does not need to be sent.

Open on Drupal.org →
Created on 21 August 2016, over 8 years ago
Updated 2 May 2023, over 1 year ago

Problem/Motivation

Follow-up to and postponed on #2515050-94: A valid one-time login link may be leaked by the referer header to 3rd parties

redirect() method always sets absolute to TRUE, so absolute TRUE option does not need to be sent.

For example

+++ b/core/modules/user/src/Controller/UserController.php
@@ -104,33 +132,117 @@ public function resetPass($uid, $timestamp, $hash) {
+      return $this->redirect(
+        'entity.user.edit_form',
+        ['user' => $user->id()],
+        [
+          'query' => ['pass-reset-token' => $token],
+          'absolute' => TRUE,
+        ]
+      );

Proposed resolution

Clean that up and make sure form state always sets the Url object to be absolute.

Remaining tasks

User interface changes

API changes

Data model changes

📌 Task
Status

Needs work

Version

9.5

Component
User system 

Last updated 3 days ago

Created by

🇺🇸United States yesct

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago
    needs-review-queue-bot

    The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

  • Comment over 1 year ago
    🇮🇳India nikhil_110

    Attached patch against Drupal 9.5.x-dev

    Patch #19 is not applied for Drupal 9.5.x-dev so Inter-diff file is not added.

    git apply -v 2787563.patch 
Checking patch core/modules/user/src/Controller/UserController.php...
error: while searching for:
        ['user' => $user->id()],
        [
          'query' => ['pass-reset-token' => $token],
          'absolute' => TRUE,
        ]
      );
    }

error: patch failed: core/modules/user/src/Controller/UserController.php:256
error: core/modules/user/src/Controller/UserController.php: patch does not apply
  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    30,301 pass, 3 fail
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024