28 October 2013

The Drupal clean URL technique provides a simple method of making web addresses shorter and more user-friendly (and possibly more SEO-friendly). However, the default implementation using rewrite creates an interesting situation where malformed links can have unexpected consequences for what is displayed on your web site. At the moment, these appear to be simply unfortunate -- I have not brainstormed for ways that it could create a security vulnerability.

Consequence 1: You can generate a 404 error. A simple example would be to find a valid page and append "q=break-me" to the query string. For instance, https://drupal.org/?q=break-me. This is especially problematic if you work with a web service that automatically appends a 'q' variable, as some Adwords users describe here.

Consequence 2: You can see the wrong content on a page. This seems relatively benign other than it can be confusing for a novice editor to diagnose on the site. However, it is possible this to additionally break relative links, which can create an unprofessional appearance. For instance, see the screenshot of the webform project when it has the q pointing to the "getting started" page https://drupal.org/project/webform?q=start. The images are broken because their sources are relative to a different path.

The easiest solution would be to ban the use of the 'q' parameter entirely or even disable the use of query strings (e.g., when using CloudFront, another CDN, or any local reverse proxy). A couple examples are below.


Change 'q' to 'alt'

set req.url = regsuball(req.url, "(&|\?)q=", "\1alt=");

Apache mod_rewrite

Change 'q' to 'alt' and redirect to it (301).

RewriteCond %{QUERY_STRING} (^|^.*&)q=(.*)$
RewriteRule ^(.*)$ /$1?%1alt=%2 [L,R=301]

blog comments powered by Disqus