Redirects to external URLs are not allowed by default

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to navigation Jump to search
  • Full message: Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it.
  • Found in: Drupal 8.1.3
  • Discussion: Google+

A patch which solves this problem (probably needs further work/discussion before turning it into a patch) is in two parts:

Part One

File: {drupal}/core/lib/Drupal/Core/DrupalKernel.php, function initializeRequestGlobals(): <php>

 protected function initializeRequestGlobals(Request $request) {
   global $base_url;
   // Set and derived from $base_url by this function.
   global /*$base_path,*/ $base_root;
   global $base_secure_url, $base_insecure_url;
   // 2016-07-04 Woozle patch for when the URL doesn't match the filename
   global $base_path_override;
   /* Woozle notes (attempt to document/regularize meaning of globals):

$base_path_override ([W new] optional): correct /path/ from domain to Drupal * Set this if Drupal detects it wrong. (That happens here.)

     INTERNAL ([W mod: was global])

$base_path /path/ from domain to Drupal * with trailing slash * see NOTE - may be calculated internally or set externally


$base_root: protocol://domain * no trailing slash * only http and https supported for protocol $base_url: [$base_root]/path * no trailing slash * if Drupal installed in root folder, this should be same as $base_root $base_secure_url https://domain/path * calculated from $base_url * no trailing slash $base_insecure_url http://domain/path * calculated from $base_url * no trailing slash


* If $base_path_override is set, then: * $base_path = $base_path_override * $base_url = $base_root + $base_path - [trailing slash] * If $base_path_override is NOT set, then: * The same basic logic applies, but it's more complicated.

   // Create base URL.
   $base_root = $request->getSchemeAndHttpHost();
   if (isset($base_path_override)) {

$base_path = $base_path_override; $base_path_slashless = rtrim($base_path,'/'); $base_url = $base_root.$base_path_slashless;

   } else {

// [Wzl - existing code] try to guess the base URL from the script's filename $base_url = $base_root; // For a request URI of '/index.php/foo', $_SERVER['SCRIPT_NAME'] is // '/index.php', whereas $_SERVER['PHP_SELF'] is '/index.php/foo'. if ($dir = rtrim(dirname($request->server->get('SCRIPT_NAME')), '\/')) { // Remove "core" directory if present, allowing install.php, // authorize.php, and others to auto-detect a base path. $core_position = strrpos($dir, '/core'); if ($core_position !== FALSE && strlen($dir) - 5 == $core_position) { $base_path = substr($dir, 0, $core_position); } else { $base_path = $dir; } $base_url .= $base_path; $base_path .= '/'; } else { $base_path = '/'; } $domain_url = $base_url;

   $base_secure_url = str_replace('http://', 'https://', $base_url);
   $base_insecure_url = str_replace('https://', 'http://', $base_url);


Part Two

File: {drupal}/sites/default/settings.php -- add the following: <php> global $base_path_override; $base_path_override = '/'; </php>

(This assumes you have .htaccess configured to put Drupal in (root) rather than in some other subfolder. Adjust as necessary.)

This doesn't fix all the problems caused by the usage ambiguity, but it does make forms work again. I have posted an issue on the Drupal forum to try and get this issue properly fixed.