Extra query parameter being added to links from emails, how do I prevent this?

Your software

My Mautic version is: 2.16.2
My PHP version is: 7.2.24

Your problem

We add a link to an email, for example

When the email is sent, Mautic turns this into a tracking link:
Here, xxx is a 25-character hexadecimal string, and yyy is a much longer string which is base64-encoded tracking data. So far, so good.

However, when requesting this URL, Mautic responds with a Location header (redirect) to
The xxx is the same as in the redirect URL.

Twitter doesn’t mind and just gives you the right content, but in general, this is a different URL than the one we specified, so there’s no telling where it might lead! In our case we are dealing with a rather picky web server which will redirect to the wrong place if any URL parameters are present.

Where is this extra URL parameter coming from, and how do I stop Mautic from adding it? Ideally to this one link (I imagine the cruft is meant for third parties tracking traffic from us), but globally if we have to.

This topic is similar but talks about a q parameter, which is not the same.

I dug into the source code and I believe it might be a bug in Mautic, although I can’t quite put my finger on it.

The relevant code is here:

In particular, I notice that r%2Fxxx decodes to r/xxx which is probably not added to the returned URL on purpose! The ct parameter is unset, which should leave $query an empty array, but note that there’s a stray & at the end of the original URL so maybe $q is not entirely empty. How r/xxx would end up as part of the incoming query string though, remains a mystery to me.

Unfortunately we can’t upgrade to Mautic 3 yet because we’re waiting for some fixes to land there, so I’m hesitant to file a bug report in case this has already been fixed.