/** * Allows manipulation of the response object when performing a redirect. * * @param \Symfony\Component\HttpKernel\Event\FilterResponseEvent $event * The Event to process. */ public function checkRedirectUrl(FilterResponseEvent $event) { $response = $event->getResponse(); if ($response instanceof RedirectResponse) { $options = array(); $request = $event->getRequest(); $destination = $request->query->get('destination'); // A destination from \Drupal::request()->query always overrides the // current RedirectResponse. We do not allow absolute URLs to be passed // via \Drupal::request()->query, as this can be an attack vector, with // the following exception: // - Absolute URLs that point to this site (i.e. same base URL and // base path) are allowed. if ($destination) { if (!UrlHelper::isExternal($destination)) { // The destination query parameter can be a relative URL in the sense // of not including the scheme and host, but its path is expected to // be absolute (start with a '/'). For such a case, prepend the // scheme and host, because the 'Location' header must be absolute. if (strpos($destination, '/') === 0) { $destination = $request->getSchemeAndHttpHost() . $destination; } else { // Legacy destination query parameters can be relative paths that // have not yet been converted to URLs (outbound path processors // and other URL handling still needs to be performed). // @todo As generateFromPath() is deprecated, remove this in // https://www.drupal.org/node/2418219. $destination = UrlHelper::parse($destination); $path = $destination['path']; $options['query'] = $destination['query']; $options['fragment'] = $destination['fragment']; // The 'Location' HTTP header must always be absolute. $options['absolute'] = TRUE; $destination = $this->urlGenerator->generateFromPath($path, $options); } $response->setTargetUrl($destination); } elseif (UrlHelper::externalIsLocal($destination, $this->requestContext->getCompleteBaseUrl())) { $response->setTargetUrl($destination); } } } }
/** * Allows manipulation of the response object when performing a redirect. * * @param \Symfony\Component\HttpKernel\Event\FilterResponseEvent $event * The Event to process. */ public function checkRedirectUrl(FilterResponseEvent $event) { $response = $event->getResponse(); if ($response instanceof RedirectResponse) { $options = array(); $destination = $event->getRequest()->query->get('destination'); // A destination from \Drupal::request()->query always overrides the // current RedirectResponse. We do not allow absolute URLs to be passed // via \Drupal::request()->query, as this can be an attack vector, with // the following exception: // - Absolute URLs that point to this site (i.e. same base URL and // base path) are allowed. if ($destination && (!UrlHelper::isExternal($destination) || UrlHelper::externalIsLocal($destination, $GLOBALS['base_url']))) { $destination = UrlHelper::parse($destination); $path = $destination['path']; $options['query'] = $destination['query']; $options['fragment'] = $destination['fragment']; // The 'Location' HTTP header must always be absolute. $options['absolute'] = TRUE; $response->setTargetUrl($this->urlGenerator->generateFromPath($path, $options)); } } }
/** * {@inheritdoc} */ public function massageFormValues(array $values, array $form, FormStateInterface $form_state) { global $base_url; $values = parent::massageFormValues($values, $form, $form_state); $file_urls = []; $countable_fields = $this->getSetting('file_fields'); foreach ($countable_fields as $field) { $files_values = array_filter(array_column($form_state->getValue($field), 'fids')); foreach ($files_values as $file_value) { /** @var FileInterface $file */ $file = File::load(reset($file_value)); if ($file) { $file_urls[] = $file->url(); } } } // Remove removed files from access urls. foreach ($values as $delta => $value) { if (UrlHelper::isExternal($value['uri']) && UrlHelper::externalIsLocal($value['uri'], $base_url) && !in_array($value['uri'], $file_urls)) { unset($values[$delta]); } } // Add new or updated files to the access urls. foreach ($file_urls as $file_url) { if (!array_search($file_url, array_column($values, 'uri'))) { $values[]['uri'] = $file_url; } } return $values; }
/** * Test invalid url arguments. * * @param string $url * The url to test. * @param string $base_url * The base url. * * @covers ::externalIsLocal * @dataProvider providerTestExternalIsLocalInvalid * @expectedException \InvalidArgumentException */ public function testExternalIsLocalInvalid($url, $base_url) { UrlHelper::externalIsLocal($url, $base_url); }
/** * {@inheritdoc} */ protected function isLocal($url) { return !UrlHelper::isExternal($url) || UrlHelper::externalIsLocal($url, $this->getRequestContext()->getCompleteBaseUrl()); }