[HtmlSanitizer] Avoid accessing non existent array key when checking for hosts validity

Antoine Beyet · Antoine Beyet · commit c1d8c3900423 · 2025-01-17T12:58:39.000+01:00
fix #59524
diff --git a/src/Symfony/Component/HtmlSanitizer/Tests/TextSanitizer/UrlSanitizerTest.php b/src/Symfony/Component/HtmlSanitizer/Tests/TextSanitizer/UrlSanitizerTest.php
@@ -274,6 +274,15 @@ public static function provideSanitize(): iterable
             'expected' => null,
         ];
 
+        yield [
+            'input' => 'https://trusted.com/link.php',
+            'allowedSchemes' => ['http', 'https'],
+            'allowedHosts' => ['subdomain.trusted.com', 'trusted.com'],
+            'forceHttps' => false,
+            'allowRelative' => false,
+            'expected' => 'https://trusted.com/link.php',
+        ];
+
         // Allow relative
         yield [
             'input' => '/link.php',
diff --git a/src/Symfony/Component/HtmlSanitizer/TextSanitizer/UrlSanitizer.php b/src/Symfony/Component/HtmlSanitizer/TextSanitizer/UrlSanitizer.php
@@ -132,7 +132,7 @@ private static function matchAllowedHostParts(array $uriParts, array $trustedPar
     {
         // Check each chunk of the domain is valid
         foreach ($trustedParts as $key => $trustedPart) {
-            if ($uriParts[$key] !== $trustedPart) {
+            if (!array_key_exists($key, $uriParts) || $uriParts[$key] !== $trustedPart) {
                 return false;
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -132,7 +132,7 @@ private static function matchAllowedHostParts(array $uriParts, array $trustedPar`
`132`	`132`	`{`
`133`	`133`	`// Check each chunk of the domain is valid`
`134`	`134`	`foreach ($trustedParts as $key => $trustedPart) {`
`135`		`- if ($uriParts[$key] !== $trustedPart) {`
	`135`	`+ if (!array_key_exists($key, $uriParts) \|\| $uriParts[$key] !== $trustedPart) {`
`136`	`136`	`return false;`
`137`	`137`	`}`
`138`	`138`	`}`