- Issue created by @.nickiv
- ๐ซ๐ฎFinland back-2-95 Helsinki
We have encountered the same with 3.10 version.
Also checked that changes from https://git.drupalcode.org/project/samlauth/-/commit/b938d0c56d5319c07ce... started to trigger the warning.
There is also related discussion on even if it's older https://lab.civicrm.org/dev/drupal/-/issues/173
What I could say about our site is that it's fully behind authentication so user gets redirected to SAML login when accessing homepage or any page. If this helps.
- First commit to issue fork.
- Merge request !263486925: Update SamlController to generate URL without context โ (Merged) created by nsciacca
- ๐บ๐ธUnited States nsciacca
I read through all the other issues like 3232577 ๐ Code leaked cacheability metadata Active and did a traceback and found the same issue as reported, it's the destination param and the URL generation that's leaking the data. Using the example in the Lullabot article I updated the call to the Url class to include the TRUE flag for collecting the metadata and returning the generated url. Available for testing in the MR. Here's a link to the patch as well: https://git.drupalcode.org/project/samlauth/-/merge_requests/26/diffs.patch
- First commit to issue fork.
-
roderik โ
committed 2b8cd36f on 8.x-3.x authored by
nsciacca โ
Issue #3486925 by nsciacca, .nickiv: Cacheability Metadata Leakage Error...
-
roderik โ
committed 2b8cd36f on 8.x-3.x authored by
nsciacca โ
- ๐ณ๐ฑNetherlands roderik Amsterdam,NL / Budapest,HU
Thank you for fixing this. The fix is exactly as it should be. ๐ Redirect after login not correct when using base_path Fixed should never have been committed as-is, especially since the main maintainer of this module (me) is probably the one making the most noise about these errors, and possibly the only one spamming people's logs.
(
By the way, I'm not even sure that the warning is accurate anymore, since ๐ Exception in EarlyRenderingControllerWrapperSubscriber is a DX nightmare, remove it Needs work has been unceremoniously committed, after waiting in limbo for 8 years. I'll have to read up on the current situation / re-test which exact circumstances would still make Core trigger such a "leaked cacheability metadata" exception.
) Automatically closed - issue fixed for 2 weeks with no activity.
- Status changed to Fixed
about 2 months ago 12:11am 4 February 2025 - ๐จ๐ฆCanada joelpittet Vancouver
@roderik I was involved in ๐ Redirect after login not correct when using base_path Fixed โmy apologies for causing this. I remember spending quite some time trying to get the url generator correct, and still didnโt ๐ณ. Weโve been running into these issues as well, so thanks for the fix!
- ๐ณ๐ฑNetherlands roderik Amsterdam,NL / Budapest,HU
I should have seen it, of course. Unfortunately I don't use this module actively anymore, so it takes time until I spot things. And I'm happy that people like you are actively tackllng some issues.
Finally a new 8.x-3.11 release is out with fixes now, and the list with outstanding bugs and clearly-needed additions is cleaner than ever. (Dare I say zero?)
The log that potentially bothers people under some circumstances ( ๐ Code leaked cacheability metadata Active ) is still present in the module, and me reading up on whether it is needed, is still outstanding.
- ๐จ๐ฆCanada joelpittet Vancouver
@roderik, thanks for publishing the releaseโI was just about to patch all the sites. We did see some potential attack vectors with that code ๐ Code leaked cacheability metadata Active , so itโs not all false positives like in this case! Also, I totally relate to maintaining modules I no longer actively use ๐