[FIX] website: prevent creation of 308 to existing controller

addons/website/i18n/website.pot

@@ -41,6 +41,23 @@ msgstr ""
 msgid "\"URL from\" can not be empty."
 msgstr ""
 
+#. module: website
+#. odoo-python
+#: code:addons/website/models/website_rewrite.py:0
+#, python-format
+msgid ""
+"\"URL to\" cannot be set to \"/\". To change the homepage content, use the "
+"\"Homepage URL\" field in the website settings or the page properties on any"
+" custom page."
+msgstr ""
+
+#. module: website
+#. odoo-python
+#: code:addons/website/models/website_rewrite.py:0
+#, python-format
+msgid "\"URL to\" cannot be set to an existing page."
+msgstr ""
+
 #. module: website
 #. odoo-python
 #: code:addons/website/models/website_rewrite.py:0

addons/website/models/website_rewrite.py

@@ -97,6 +97,18 @@ def _check_url_to(self):
                 for param in re.findall('/<.*?>', rewrite.url_to):
                     if param not in rewrite.url_from:
                         raise ValidationError(_('"URL to" cannot contain parameter %s which is not used in "URL from".', param))
+
+                if rewrite.url_to == '/':
+                    raise ValidationError(_('"URL to" cannot be set to "/". To change the homepage content, use the "Homepage URL" field in the website settings or the page properties on any custom page.'))
+
+                if any(
+                    rule for rule in self.env['ir.http'].routing_map().iter_rules()
+                    # Odoo routes are normally always defined without trailing
+                    # slashes + strict_slashes=False, but there are exceptions.
+                    if rule.rule.rstrip('/') == rewrite.url_to.rstrip('/')
+                ):
+                    raise ValidationError(_('"URL to" cannot be set to an existing page.'))
+
                 try:
                     converters = self.env['ir.http']._get_converters()
                     routing_map = werkzeug.routing.Map(strict_slashes=False, converters=converters)

addons/website/tests/__init__.py

@@ -24,6 +24,7 @@
 from . import test_page_manager
 from . import test_performance
 from . import test_qweb
+from . import test_redirect
 from . import test_res_users
 from . import test_snippets
 from . import test_theme

addons/website/tests/test_redirect.py

@@ -0,0 +1,35 @@
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+from odoo.models import ValidationError
+from odoo.tests import TransactionCase, tagged
+
+
+@tagged('-at_install', 'post_install')
+class TestWebsiteRedirect(TransactionCase):
+    def test_01_website_redirect_validation(self):
+        with self.assertRaises(ValidationError) as error:
+            self.env['website.rewrite'].create({
+                'name': 'Test Website Redirect',
+                'redirect_type': '308',
+                'url_from': '/website/info',
+                'url_to': '/',
+            })
+        self.assertIn('homepage', str(error.exception))
+
+        with self.assertRaises(ValidationError) as error:
+            self.env['website.rewrite'].create({
+                'name': 'Test Website Redirect',
+                'redirect_type': '308',
+                'url_from': '/website/info',
+                'url_to': '/favicon.ico',
+            })
+        self.assertIn('existing page', str(error.exception))
+
+        with self.assertRaises(ValidationError) as error:
+            self.env['website.rewrite'].create({
+                'name': 'Test Website Redirect',
+                'redirect_type': '308',
+                'url_from': '/website/info',
+                'url_to': '/favicon.ico/',  # trailing slash on purpose
+            })
+        self.assertIn('existing page', str(error.exception))