Redirects to external URLs are not allowed by default

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to navigation Jump to search
  • Full message: Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it.
  • Found in: Drupal 8.1.3
  • Discussion: Google+

A patch which solves this problem (probably needs further work/discussion before turning it into a patch) is in two parts:

Part One

File: {drupal}/core/lib/Drupal/Core/DrupalKernel.php, function initializeRequestGlobals(): <php> 

 protected function initializeRequestGlobals(Request $request) {
   global $base_url;
   // Set and derived from $base_url by this function.
   global /*$base_path,*/ $base_root;
   global $base_secure_url, $base_insecure_url;
   // 2016-07-04 Woozle patch for when the URL doesn't match the filename
   global $base_path_override;

   /* Woozle notes (attempt to document/regularize meaning of globals):
     INPUT:

$base_path_override ([W new] optional): correct /path/ from domain to Drupal * Set this if Drupal detects it wrong. (That happens here.) 

     INTERNAL ([W mod: was global])

$base_path /path/ from domain to Drupal * with trailing slash * see NOTE - may be calculated internally or set externally 

     OUTPUT:

$base_root: protocol://domain * no trailing slash * only http and https supported for protocol $base_url: [$base_root]/path * no trailing slash * if Drupal installed in root folder, this should be same as $base_root $base_secure_url https://domain/path * calculated from $base_url * no trailing slash $base_insecure_url http://domain/path * calculated from $base_url * no trailing slash 

     NOTE:

* If $base_path_override is set, then: * $base_path = $base_path_override * $base_url = $base_root + $base_path - [trailing slash] * If $base_path_override is NOT set, then: * The same basic logic applies, but it's more complicated. 

   */

   // Create base URL.
   $base_root = $request->getSchemeAndHttpHost();

   if (isset($base_path_override)) {

$base_path = $base_path_override; $base_path_slashless = rtrim($base_path,'/'); $base_url = $base_root.$base_path_slashless; 

   } else {

// [Wzl - existing code] try to guess the base URL from the script's filename $base_url = $base_root; // For a request URI of '/index.php/foo', $_SERVER['SCRIPT_NAME'] is // '/index.php', whereas $_SERVER['PHP_SELF'] is '/index.php/foo'. if ($dir = rtrim(dirname($request->server->get('SCRIPT_NAME')), '\/')) { // Remove "core" directory if present, allowing install.php, // authorize.php, and others to auto-detect a base path. $core_position = strrpos($dir, '/core'); if ($core_position !== FALSE && strlen($dir) - 5 == $core_position) { $base_path = substr($dir, 0, $core_position); } else { $base_path = $dir; } $base_url .= $base_path; $base_path .= '/'; } else { $base_path = '/'; } $domain_url = $base_url; 

   }
   $base_secure_url = str_replace('http://', 'https://', $base_url);
   $base_insecure_url = str_replace('https://', 'http://', $base_url);
 }

</php>

Part Two

File: {drupal}/sites/default/settings.php -- add the following: <php> global $base_path_override; $base_path_override = '/'; </php>

(This assumes you have .htaccess configured to put Drupal in http://domain.name/ (root) rather than in some other subfolder. Adjust as necessary.)

This doesn't fix all the problems caused by the usage ambiguity, but it does make forms work again. I have posted an issue on the Drupal forum to try and get this issue properly fixed.

Retrieved from "https://htyp.org/mw/index.php?title=Redirects_to_external_URLs_are_not_allowed_by_default&oldid=21890"