function RedirectResponseSubscriber::checkRedirectUrl

Same name and namespace in other branches
  1. 8.9.x core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::checkRedirectUrl()
  2. 10 core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::checkRedirectUrl()
  3. 11.x core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::checkRedirectUrl()

Allows manipulation of the response object when performing a redirect.

Parameters

\Symfony\Component\HttpKernel\Event\ResponseEvent $event: The Event to process.

File

core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php, line 52

Class

RedirectResponseSubscriber
Allows manipulation of the response object when performing a redirect.

Namespace

Drupal\Core\EventSubscriber

Code

public function checkRedirectUrl(ResponseEvent $event) {
    $response = $event->getResponse();
    if ($response instanceof RedirectResponse) {
        $request = $event->getRequest();
        // Let the 'destination' query parameter override the redirect target.
        // If $response is already a SecuredRedirectResponse, it might reject the
        // new target as invalid, in which case proceed with the old target.
        $destination = $request->query
            ->get('destination');
        if ($destination) {
            // The 'Location' HTTP header must always be absolute.
            $destination = $this->getDestinationAsAbsoluteUrl($destination, $request->getSchemeAndHttpHost());
            try {
                $response->setTargetUrl($destination);
            } catch (\InvalidArgumentException $e) {
            }
        }
        // Regardless of whether the target is the original one or the overridden
        // destination, ensure that all redirects are safe.
        if (!$response instanceof SecuredRedirectResponse) {
            try {
                // SecuredRedirectResponse is an abstract class that requires a
                // concrete implementation. Default to LocalRedirectResponse, which
                // considers only redirects to within the same site as safe.
                $safe_response = LocalRedirectResponse::createFromRedirectResponse($response);
                $safe_response->setRequestContext($this->requestContext);
            } catch (\InvalidArgumentException $e) {
                // If the above failed, it's because the redirect target wasn't
                // local. Do not follow that redirect. Display an error message
                // instead. We're already catching one exception, so trigger_error()
                // rather than throw another one.
                // We don't throw an exception, because this is a client error rather than a
                // server error.
                $message = 'Redirects to external URLs are not allowed by default, use \\Drupal\\Core\\Routing\\TrustedRedirectResponse for it.';
                trigger_error($message, E_USER_ERROR);
                $safe_response = new Response($message, 400);
            }
            $event->setResponse($safe_response);
        }
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.