Prevent aliases from starting with a dot

Created on 2 November 2023, about 1 year ago
Updated 4 December 2023, about 1 year ago

Problem/Motivation

Nodes become inaccessible (403 HTTP code) when using a token which will generate a pattern starting with a dot.

Steps to reproduce

  1. Create an alias pattern with the title of the node as token for all content types
  2. Make sure that the "strings to remove" setting at /admin/config/search/path/settings has at least "a" in it to be removed
  3. Create a node with the title "A.Foo"
  4. The alias will be ".foo"
  5. In many well configured webservers this will result in a 403 HTTP code as the webserver prevents loading hidden files (which start with a dot)

Proposed resolution

Check that an alias can't start with a dot.

I'm not sure if this should be a setting or not. I can't find any reason (yet) why you really want to have an alias starting with a dot but if someone got a case, it should become a setting to disable removing a starting dot.

📌 Task
Status

Active

Version

1.11

Component

Code

Created by

🇳🇱Netherlands Rik Wijnen

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @Rik Wijnen
  • 🇳🇱Netherlands Rik Wijnen

    Patch added which could fix this.

  • 🇮🇳India sijumpk

    Tried creating a node with title "A.Foo" and the resulted url is /afoo, as expected. "a" is there in the "strings to remove" list while doing this. It seems like all dots are getting replaced irrespective of its position. Its done inside AliasCleaner::cleanString method. Is it just for me or is there anyone who can recreate this issue?

  • 🇮🇳India Meeni_Dhobale

    I also tried to reproduce this issue without applying the patch with title "A.Foo" and my URL is "/afoo". I didn't see any kind of 403 HTTP code. I am also not able to reproduce this issue.

  • 🇳🇱Netherlands Rik Wijnen

    I'm sorry, I realize that I was forgotten one setting;
    In step 2, you have to select "no action (do not replace)" for "period (.)" in the "punctuation" section of /admin/config/search/path/settings too to make it break.

    If you make sure "a" is in the list AND dots must not be replaced, a node with title "A.Foo" will result in url ".foo".

    And yes, I'm telling the system to not replace dots but this is a special case because this one will break your site with widely used server configurations. Maybe it should be a setting in the module to prevent urls being starting with a dot, so it can be enabled if your webserver does not allow files and directories to begin with a dot.

Production build 0.71.5 2024