Contrib.social

Handle invalid destination parameters better

Open on Drupal.org →
Created on 9 May 2025, 3 days ago

Problem/Motivation

We use this on an intranet where all URL's except a few are redirected to the login page. Some of these are typical bots that look for security issues.

One that we've been hit with recently is a request like this:

https://ourdomain.tld/:88/favicon.ico

This redirects to:

/saml/login?destination=/:88/favicon.ico

Which logs an exception like this:

InvalidArgumentException encountered during initiating SAML login: The internal path component ':88/favicon.ico' is external. You are not allowed to specify an external URL together with internal:/

And redirects away, but becauase there's a destination query string, it goes straight back to that page, which redirects again back to saml/login, resulting in a redirect loop and lots of warnings in our logs.

Steps to reproduce

Proposed resolution

Not sure. Ignore invalid destinations? Could also make sure to remove the destination when redirecting, would still come back then in our case, but without the destination.

📌 Task
Status

Active

Version

4.0

Component

Code

Created by

🇨🇭Switzerland berdir Switzerland

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024