Skip to content

Build query string array from url stripped of marketing params instead of original request uri #40349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
NateSwanson7 wants to merge 1 commit into
base: 2.4-develop
Choose a base branch
from
Open

Build query string array from url stripped of marketing params instead of original request uri #40349

NateSwanson7 wants to merge 1 commit into from
+12 −4

Conversation

@NateSwanson7
Copy link

@NateSwanson7 NateSwanson7 commented Dec 8, 2025
edited
Loading

Description (*)

This pull request fixes an issue in the built-in Full Page Cache (FPC) where
marketing/tracking query parameters such as utm_*, gclid, fbclid, dclid, etc.
were unintentionally being added back into the FPC cache identifier.

Magento 2.4-develop introduced logic in Identifier::getValue() to strip these
parameters from the request URI before generating the cache key. However,
reconstructUrl() rebuilt the query string using the original request's
query parameters via $this->request->getUri()->getQueryAsArray(), which
still contained all marketing parameters.

As a result, although the sanitized URL correctly removed marketing parameters,
the reconstructed query string reintroduced them, causing the built-in FPC to
generate separate cache entries for URLs that differed only by marketing params.

This PR corrects reconstructUrl() so that it parses the query string
from the sanitized $url passed into the method. The sanitized query is
then normalized (ksort + http_build_query) and used in the cache key, ensuring
consistent behavior and preventing unnecessary cache fragmentation.

Fixed Issues (if relevant)

  1. Fixes Marketing params added back into query used for built-in FPC identifier creation #40350

Manual testing scenarios (*)

  1. Enable built-in Full Page Cache.

  2. Visit a storefront page with marketing parameters in the URL, e.g.:

    https://example.com/?utm_source=test&utm_medium=cpc&gclid=ABC123&foo=bar

  3. Enable cache debug tools, or temporarily add logging in
    Magento\Framework\App\PageCache\Identifier::getValue() to inspect the
    generated identifier value.

  4. Observe the following behavior before this fix:

    • Marketing parameters are correctly removed from the sanitized URL.
    • However, the final cache key still includes these parameters because
      reconstructUrl() rebuilds the query from the original request query array.

  5. Apply this patch and reload the same URL.

  6. Verify that:

    • The FPC identifier no longer contains utm_*, gclid, fbclid, etc.
    • Only the sanitized and normalized query parameters are included.
    • URLs that differ only by marketing parameters now produce the same FPC entry.

  7. Confirm that non-marketing query parameters (e.g. ?foo=bar) remain part of
    the FPC key as expected.

Questions or comments

If maintainers prefer this logic to live outside reconstructUrl(), or want
a different mechanism for parameter stripping prior to FPC key generation,
I am happy to adjust the implementation.

If unit test coverage is desired for this method, I can add tests to assert
that marketing parameters are excluded and that query ordering is normalized.

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
  • All automated tests passed successfully (all builds are green)

@m2-assistant
Copy link

m2-assistant bot commented Dec 8, 2025

Hi @NateSwanson7. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

  • @magento run all tests - run or re-run all required tests against the PR changes
  • @magento run <test-build(s)> - run or re-run specific test build(s)
    For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:
  1. Database Compare
  2. Functional Tests CE
  3. Functional Tests EE
  4. Functional Tests B2B
  5. Integration Tests
  6. Magento Health Index
  7. Sample Data Tests CE
  8. Sample Data Tests EE
  9. Sample Data Tests B2B
  10. Static Tests
  11. Unit Tests
  12. WebAPI Tests
  13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

@ct-prd-pr-scan
Copy link

ct-prd-pr-scan bot commented Dec 8, 2025

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

1 similar comment
@ct-prd-pr-scan
Copy link

ct-prd-pr-scan bot commented Dec 8, 2025

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

@NateSwanson7 NateSwanson7 mentioned this pull request Dec 8, 2025
Open
5 tasks
@ct-prd-pr-scan
Copy link

ct-prd-pr-scan bot commented Dec 8, 2025

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

4 similar comments
@ct-prd-pr-scan
Copy link

ct-prd-pr-scan bot commented Dec 8, 2025

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

@ct-prd-pr-scan
Copy link

ct-prd-pr-scan bot commented Dec 8, 2025

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

@ct-prd-pr-scan
Copy link

ct-prd-pr-scan bot commented Dec 8, 2025

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

@ct-prd-pr-scan
Copy link

ct-prd-pr-scan bot commented Dec 8, 2025

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

@NateSwanson7
Copy link
Author

NateSwanson7 commented Dec 8, 2025

@magento run all tests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Marketing params added back into query used for built-in FPC identifier creation

2 participants

@NateSwanson7 @nate-wondrium