[6.x] Fix /index.php request poisoning Site::absoluteUrl#14647
Merged
Conversation
When a request hits the front controller directly (e.g. /index.php),
Laravel's url()->to('/') returns the URL with the script name appended.
That made URL::makeAbsolute() (and therefore Site::absoluteUrl()) vary
by request entry point, causing fallback-config sites to resolve their
"absolute URL" to https://host/index.php, match the homepage entry,
and serve a 200 (which then gets baked into the static cache).
Strip the script name from getRequestRootUrl() so the result is
invariant. Restores Statamic 5 behavior.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #14644.
On a Statamic 6 site without
resources/sites.yaml, a direct request to/index.phpwas returning the homepage with a 200 instead of a 404, and every link in the rendered response was prefixed with/index.php/.... With full static caching, that response got written to disk and served on every subsequent/index.phphit indefinitely — and crawlers then spidered the/index.php/{slug}link graph, poisoning more cached entries.Root cause
PR #11840 changed
Site::absoluteUrl()fromrequest()->getSchemeAndHttpHost() . $urltoURL::makeAbsolute($url). The old form was invariant to request entry point; the new form delegates toURL::getRequestRootUrl(), which calls Laravel'surl()->to('/')— and that includes the base URL (e.g./index.php) when the request hits the front controller directly. So on a/index.phprequest, the site's "absolute URL" inflated tohttps://host/index.php.Data::findByRequestUrl()then stripped that off the request URL, leaving''→ normalized to/→ matched the homepage entry → 200.Fix
Strip the front-controller script name from
URL::getRequestRootUrl()so the result stays invariant to whether the request hit/index.phpor/. Same pattern is already used inURL::prependSiteUrl()(line 152–156), so this is consistent with existing convention. Usespathinfo(request()->getScriptName())['basename']rather than hardcodingindex.php, in case the front controller has been renamed.This addresses the root cause for all sites with a relative URL — both the missing-
sites.yamlfallback case and users who explicitly configureurl: /insites.yaml.Verification
Restores Statamic 5 behavior. Confirmed end-to-end via
php -S://index.php/about/staff/index.php/about/staffTest plan
making_urls_absolute_ignores_front_controller_in_request_rootcovers the regression.…com/index.php) and passes with it.tests/Facades/UrlTest.php(450 tests),tests/Sites,tests/StaticCaching,tests/Data,tests/Routingall pass.php -Swith a real Statamic site.Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com