- Issue created by @berdir
- 🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU
(1AM typo in commit message. Commit is here.)
.
Thanks for the report. Yes, this is a bug... which I never consciously registered.There's supposedly-always an exception handler active, which takes care of returning a (redirect) response to an error page. But the 'destination' parameter should always be removed in that case. In other words: the 'destination' wasn't removed early enough.
This makes DOMAIN/saml/login?destination=/:88/favicon.ico at DOMAIN/:88/favicon.ico, instead of the error page... which is a bug.
Bug fixed by removing the 'destination' properly/earlier. "The error page" by default is the homepage (with the standard message saying there was an error which has been logged). If that isn't good for your specific case, you can set an "Error redirect URL" in config.
(I briefly considered (additionally) checking/removing invalid 'destination' values, but that seems to be the
RequestSanitizer::checkDestination()
's job, so I won't duplicate that.) Automatically closed - issue fixed for 2 weeks with no activity.