summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorcatch2013-01-21 11:22:14 (GMT)
committercatch2013-01-21 11:22:14 (GMT)
commit0d74f5bf8f0fc4feb3d90622d61d5c124499789b (patch)
tree61e5a3e859685ddab512b4b1bcfdae7f6dc83c96
parentc80c3e18f1497324bccf444fb113aefa1338d1fa (diff)
Issue #736172 by fizk: Fixed drupal_goto() should allow absolute destinations that are within the same site.
-rw-r--r--core/includes/common.inc13
-rw-r--r--core/modules/system/lib/Drupal/system/Tests/Common/GotoTest.php8
-rw-r--r--core/modules/system/tests/modules/common_test/common_test.module8
3 files changed, 17 insertions, 12 deletions
diff --git a/core/includes/common.inc b/core/includes/common.inc
index 5d32281..0c16ac9 100644
--- a/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -688,8 +688,8 @@ function drupal_goto($path = '', array $options = array(), $http_response_code =
// A destination in $_GET always overrides the function arguments.
// We do not allow absolute URLs to be passed via $_GET, as this can be an
// attack vector, with the following exception:
- // - absolute URLs that point to this site (i.e. same base URL and
- // base path) are allowed
+ // - Absolute URLs that point to this site (i.e. same base URL and
+ // base path) are allowed.
if (isset($_GET['destination']) && (!url_is_external($_GET['destination']) || _external_url_is_local($_GET['destination']))) {
$destination = drupal_parse_url($_GET['destination']);
$path = $destination['path'];
@@ -722,13 +722,18 @@ function drupal_goto($path = '', array $options = array(), $http_response_code =
* TRUE if the URL has the same domain and base path.
*/
function _external_url_is_local($url) {
- $url_parts = parse_url($url);
- $base_host = parse_url($GLOBALS['base_url'], PHP_URL_HOST);
+ $url_parts = parse_url($url);
+ $base_host = parse_url($GLOBALS['base_url'], PHP_URL_HOST);
+ if (!isset($url_parts['path'])) {
+ return ($url_parts['host'] == $base_host);
+ }
+ else {
// When comparing base paths, we need a trailing slash to make sure a
// partial URL match isn't occuring. Since base_path() always returns with
// a trailing slash, we don't need to add the trailing slash here.
return ($url_parts['host'] == $base_host && stripos($url_parts['path'], base_path()) === 0);
+ }
}
/**
diff --git a/core/modules/system/lib/Drupal/system/Tests/Common/GotoTest.php b/core/modules/system/lib/Drupal/system/Tests/Common/GotoTest.php
index edf59a8..c9e3cfc 100644
--- a/core/modules/system/lib/Drupal/system/Tests/Common/GotoTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Common/GotoTest.php
@@ -56,14 +56,14 @@ class GotoTest extends WebTestBase {
// Test that drupal_goto() respects ?destination=xxx with an absolute URL
// that points to this Drupal installation.
- $destination = url('common-test/drupal_goto/alt', array('absolute' => TRUE));
+ $destination = url('common-test/drupal_goto/alternative', array('absolute' => TRUE));
$this->drupalGet('common-test/drupal_goto/redirect', array('query' => array('destination' => $destination)));
- $this->assertText('drupal_goto_alt', 'Drupal goto redirect with absolute URL destination that points to this Drupal installation succeeded.');
- $this->assertEqual($this->getUrl(), url('common-test/drupal_goto/alt', array('absolute' => TRUE)), 'Drupal goto redirected to given query string destination with absolute URL that points to this Drupal installation.');
+ $this->assertText('drupal_goto_alternative', 'Drupal goto redirect with absolute URL destination that points to this Drupal installation succeeded.');
+ $this->assertEqual($this->getUrl(), url('common-test/drupal_goto/alternative', array('absolute' => TRUE)), 'Drupal goto redirected to given query string destination with absolute URL that points to this Drupal installation.');
// Test that drupal_goto() fails to respect ?destination=xxx with an absolute URL
// that does not point to this Drupal installation.
- $destination = 'http://pagedoesnotexist';
+ $destination = 'http://example.com';
$this->drupalGet('common-test/drupal_goto/redirect', array('query' => array('destination' => $destination)));
$this->assertText('drupal_goto', 'Drupal goto fails to redirect with absolute URL destination that does not point to this Drupal installation.');
$this->assertNotEqual($this->getUrl(), $destination, 'Drupal goto failed to redirect to given query string destination with absolute URL that does not point to this Drupal installation.');
diff --git a/core/modules/system/tests/modules/common_test/common_test.module b/core/modules/system/tests/modules/common_test/common_test.module
index a41f608..f932f0f 100644
--- a/core/modules/system/tests/modules/common_test/common_test.module
+++ b/core/modules/system/tests/modules/common_test/common_test.module
@@ -15,9 +15,9 @@ function common_test_menu() {
'access arguments' => array('access content'),
'type' => MENU_CALLBACK,
);
- $items['common-test/drupal_goto/alt'] = array(
+ $items['common-test/drupal_goto/alternative'] = array(
'title' => 'Drupal Goto',
- 'page callback' => 'common_test_drupal_goto_land_alt',
+ 'page callback' => 'common_test_drupal_goto_land_alternative',
'access arguments' => array('access content'),
'type' => MENU_CALLBACK,
);
@@ -101,8 +101,8 @@ function common_test_drupal_goto_land() {
*
* @see common_test_menu()
*/
-function common_test_drupal_goto_land_alt() {
- print "drupal_goto_alt";
+function common_test_drupal_goto_land_alternative() {
+ print "drupal_goto_alternative";
}
/**