/**
* Allows manipulation of the response object when performing a redirect.
*
* @param \Symfony\Component\HttpKernel\Event\FilterResponseEvent $event
* The Event to process.
*/
public function checkRedirectUrl(FilterResponseEvent $event)
{
$response = $event->getResponse();
if ($response instanceof RedirectResponse) {
$options = array();
$request = $event->getRequest();
$destination = $request->query->get('destination');
// A destination from \Drupal::request()->query always overrides the
// current RedirectResponse. We do not allow absolute URLs to be passed
// via \Drupal::request()->query, as this can be an attack vector, with
// the following exception:
// - Absolute URLs that point to this site (i.e. same base URL and
// base path) are allowed.
if ($destination) {
if (!UrlHelper::isExternal($destination)) {
// The destination query parameter can be a relative URL in the sense
// of not including the scheme and host, but its path is expected to
// be absolute (start with a '/'). For such a case, prepend the
// scheme and host, because the 'Location' header must be absolute.
if (strpos($destination, '/') === 0) {
$destination = $request->getSchemeAndHttpHost() . $destination;
} else {
// Legacy destination query parameters can be relative paths that
// have not yet been converted to URLs (outbound path processors
// and other URL handling still needs to be performed).
// @todo As generateFromPath() is deprecated, remove this in
// https://www.drupal.org/node/2418219.
$destination = UrlHelper::parse($destination);
$path = $destination['path'];
$options['query'] = $destination['query'];
$options['fragment'] = $destination['fragment'];
// The 'Location' HTTP header must always be absolute.
$options['absolute'] = TRUE;
$destination = $this->urlGenerator->generateFromPath($path, $options);
}
$response->setTargetUrl($destination);
} elseif (UrlHelper::externalIsLocal($destination, $this->requestContext->getCompleteBaseUrl())) {
$response->setTargetUrl($destination);
}
}
}
}
/**
* Allows manipulation of the response object when performing a redirect.
*
* @param \Symfony\Component\HttpKernel\Event\FilterResponseEvent $event
* The Event to process.
*/
public function checkRedirectUrl(FilterResponseEvent $event)
{
$response = $event->getResponse();
if ($response instanceof RedirectResponse) {
$options = array();
$destination = $event->getRequest()->query->get('destination');
// A destination from \Drupal::request()->query always overrides the
// current RedirectResponse. We do not allow absolute URLs to be passed
// via \Drupal::request()->query, as this can be an attack vector, with
// the following exception:
// - Absolute URLs that point to this site (i.e. same base URL and
// base path) are allowed.
if ($destination && (!UrlHelper::isExternal($destination) || UrlHelper::externalIsLocal($destination, $GLOBALS['base_url']))) {
$destination = UrlHelper::parse($destination);
$path = $destination['path'];
$options['query'] = $destination['query'];
$options['fragment'] = $destination['fragment'];
// The 'Location' HTTP header must always be absolute.
$options['absolute'] = TRUE;
$response->setTargetUrl($this->urlGenerator->generateFromPath($path, $options));
}
}
}
/**
* {@inheritdoc}
*/
public function massageFormValues(array $values, array $form, FormStateInterface $form_state)
{
global $base_url;
$values = parent::massageFormValues($values, $form, $form_state);
$file_urls = [];
$countable_fields = $this->getSetting('file_fields');
foreach ($countable_fields as $field) {
$files_values = array_filter(array_column($form_state->getValue($field), 'fids'));
foreach ($files_values as $file_value) {
/** @var FileInterface $file */
$file = File::load(reset($file_value));
if ($file) {
$file_urls[] = $file->url();
}
}
}
// Remove removed files from access urls.
foreach ($values as $delta => $value) {
if (UrlHelper::isExternal($value['uri']) && UrlHelper::externalIsLocal($value['uri'], $base_url) && !in_array($value['uri'], $file_urls)) {
unset($values[$delta]);
}
}
// Add new or updated files to the access urls.
foreach ($file_urls as $file_url) {
if (!array_search($file_url, array_column($values, 'uri'))) {
$values[]['uri'] = $file_url;
}
}
return $values;
}
/**
* Test invalid url arguments.
*
* @param string $url
* The url to test.
* @param string $base_url
* The base url.
*
* @covers ::externalIsLocal
* @dataProvider providerTestExternalIsLocalInvalid
* @expectedException \InvalidArgumentException
*/
public function testExternalIsLocalInvalid($url, $base_url)
{
UrlHelper::externalIsLocal($url, $base_url);
}
/**
* {@inheritdoc}
*/
protected function isLocal($url)
{
return !UrlHelper::isExternal($url) || UrlHelper::externalIsLocal($url, $this->getRequestContext()->getCompleteBaseUrl());
}
