UrlHelper::buildQuery() should encode slashes

Created on 1 December 2016, about 9 years ago

Updated 28 February 2023, almost 3 years ago

Problem/Motivation

598e739208de28182f3329a2c23511f5c27489e5 introduced drupal_http_build_query(). For some reason, the choice was made to unencode slashes when encoding parameters:

      // For better readability of paths in query strings, we decode slashes.
      // @see drupal_encode_path()
      $params[] = $key . '=' . str_replace('%2F', '/', rawurlencode($value));

This behavior carried forward into Drupal 8's UrlHelper::buildQuery().

While RFC 3986 actually addresses the possibility of leaving "slash" / unencoded (see RFC 3986 section 3.4 'Query', https://www.ietf.org/rfc/rfc3986.txt), PHP itself does natively encode it. So do the equivalent functions in a sampling of other languages:

PHP:
php > print urlencode('foo=bar/baz&stuff=things');
foo%3Dbar%2Fbaz%26stuff%3Dthings

Ruby:
irb(main):005:0> CGI.escape('foo=bar/baz&stuff=things')
=> "foo%3Dbar%2Fbaz%26stuff%3Dthings"

Python:
>>> import urllib
>>> params = {'foo': 'bar/baz', 'stuff': 'things'}
>>> urllib.urlencode(params)
'foo=bar%2Fbaz&stuff=things'

Javascript:
> encodeURIComponent('foo=bar/baz&stuff=things')
'foo%3Dbar%2Fbaz%26stuff%3Dthings'

I am sure there are counter-examples, but encoding the slash is pretty standard behavior.

Under many circumstances, Drupal's behavior here is strictly cosmetic, and possibly preferable for visibility, as the comment states. However, there are cases where there is a shared understanding of what urlencoding does is required, and that shared understanding should be respected.

For example, query parameters can be used to construct signed signatures via a shared secret to ensure that incoming requests to an API are from a trusted source. If one of those parameters contains a URL generated by Drupal, the parameter value will differ from what might be expected by another application. This would also affect the generated signature, and cause a mismatch when checking the signature.

Proposed resolution

Remove the substitution:

        // For better readability of paths in query strings, we decode slashes.
        $params[] = $key . '=' . rawurlencode($value);

Alternately I could see it as an additional option to class Url's options argument, to catch cases where users are explicitly relying on the slash being present unencoded in a parameter. But, that should be discussed by people that know core better than me.

📌 Task

Status

Active

Version

10.1 ✨

Component

Base →

Last updated 3 months ago

Maintained by
🇺🇸United States @effulgentsia
🇬🇧United Kingdom @catch
🇬🇧United Kingdom @alexpott
🇦🇺Australia @larowlan
🇺🇸United States @bnjmnm
🇫🇷France @nod_
🇪🇸Spain @ckrina
🇬🇧United Kingdom @justafish

Created by

🇺🇸United States timcosgrove

Live updates comments and jobs are added and updated live.

Bug Smash Initiative

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 3 years ago →
🇺🇸United States mediabounds
Attaching a patch of the suggested change from the description.

I encountered this issue while using the simple_oauth module on a Drupal site that had requests routed through fast-proxy. A recent release of fast-proxy (https://github.com/fastify/fast-proxy/releases/tag/v1.8.0) removes instances where there are 2+ subsequent slashes in the URL--regardless of where they happen in the URL. The callback URL used by OAuth2 during authentication was getting a slash removed by the proxy. By encoding the query parameters, the issue was mitigated.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024