Skip to content

Commit df36a1a

Browse files
SpomkySpomky
committed
Allow custom scheme to be used as redirection URIs and additional security means
1 parent b4128fd commit df36a1a

File tree

2 files changed

+66
-2
lines changed

2 files changed

+66
-2
lines changed

src/Symfony/Component/Security/Http/HttpUtils.php

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -148,7 +148,20 @@ public function checkRequestPath(Request $request, string $path)
148148
*/
149149
public function generateUri(Request $request, string $path)
150150
{
151-
if (str_starts_with($path, 'http') || !$path) {
151+
$url = parse_url($path);
152+
153+
// Prevent path traversal (ex: https://example.com/../../file)
154+
if (preg_match('#/\.\.?(/|$)#', $url['path'])) {
155+
return $request->getUriForPath('/');
156+
}
157+
158+
// Prevent protocol-relative redirection (ex: //example.com/file)
159+
if (!isset($url['scheme']) && isset($url['host'], $url['path'])) {
160+
return $request->getUriForPath('/');
161+
}
162+
163+
// absolute URL
164+
if (isset($url['scheme'], $url['host'])) {
152165
return $path;
153166
}
154167

src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php

Lines changed: 52 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,54 @@ public function testCreateRedirectResponseWithRequestsDomain()
5858
$this->assertTrue($response->isRedirect('http://localhost/blog'));
5959
}
6060

61+
/**
62+
* @dataProvider validRequestDomainUrls
63+
*/
64+
public function testCreateRedirectResponse(?string $domainRegexp, string $path, string $expectedRedirectUri)
65+
{
66+
$utils = new HttpUtils($this->getUrlGenerator(), null, $domainRegexp);
67+
$response = $utils->createRedirectResponse($this->getRequest(), $path);
68+
69+
$this->assertTrue($response->isRedirect($expectedRedirectUri));
70+
$this->assertEquals(302, $response->getStatusCode());
71+
}
72+
73+
public static function validRequestDomainUrls()
74+
{
75+
return [
76+
'/foobar' => [
77+
null,
78+
'/foobar',
79+
'http://localhost/foobar',
80+
],
81+
'http://symfony.com/ without domain regex' => [
82+
null,
83+
'http://symfony.com/',
84+
'http://symfony.com/',
85+
],
86+
'http://localhost/blog with #^https?://symfony\.com$#i' => [
87+
'#^https?://symfony\.com$#i',
88+
'http://symfony.com/blog',
89+
'http://symfony.com/blog',
90+
],
91+
'http://localhost/blog with #^https?://%s$#i' => [
92+
'#^https?://%s$#i',
93+
'http://localhost/blog',
94+
'http://localhost/blog',
95+
],
96+
'custom scheme' => [
97+
null,
98+
'android-app://com.google.android.gm/',
99+
'android-app://com.google.android.gm/',
100+
],
101+
'custom scheme with all URL components' => [
102+
null,
103+
'android-app://foo:bar@www.example.com:8080/software/index.html?lite=true#section1',
104+
'android-app://foo:bar@www.example.com:8080/software/index.html?lite=true#section1',
105+
],
106+
];
107+
}
108+
61109
/**
62110
* @dataProvider badRequestDomainUrls
63111
*/
@@ -77,6 +125,9 @@ public static function badRequestDomainUrls()
77125
['http:/\\pirate.net/foo'],
78126
['http:\\/pirate.net/foo'],
79127
['http://////pirate.net/foo'],
128+
['//evil.com/do-bad-things'],
129+
['http://localhost/foo/../bar'],
130+
['http:///foo'],
80131
];
81132
}
82133

@@ -85,7 +136,7 @@ public function testCreateRedirectResponseWithProtocolRelativeTarget()
85136
$utils = new HttpUtils($this->getUrlGenerator(), null, '#^https?://%s$#i');
86137
$response = $utils->createRedirectResponse($this->getRequest(), '//evil.com/do-bad-things');
87138

88-
$this->assertTrue($response->isRedirect('http://localhost//evil.com/do-bad-things'), 'Protocol-relative redirection should not be supported for security reasons');
139+
$this->assertTrue($response->isRedirect('http://localhost/'), 'Protocol-relative redirection should not be supported for security reasons');
89140
}
90141

91142
public function testCreateRedirectResponseWithRouteName()

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy