8000 bug #47069 [Security] Allow redirect after login to absolute URLs (Ti… · symfony/symfony@dfa765d · GitHub
[go: up one dir, main page]
Skip to content

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit dfa765d

Browse files
fabpotfabpot
committed
bug #47069 [Security] Allow redirect after login to absolute URLs (Tim Ward)
This PR was merged into the 4.4 branch. Discussion ---------- [Security] Allow redirect after login to absolute URLs | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #46533 | License | MIT | Doc PR | Fixes the regression introduced by #46317, and once again allows absolute URLs to be the target of authentication redirection, as specified in the documentation (https://symfony.com/doc/current/security/form_login.html#changing-the-default-page) Commits ------- b9901aa [Security] Allow redirect after login to absolute URLs
2 parents 03bdaed + b9901aa commit dfa765d

File tree

4 files changed

+34
-2
lines changed

4 files changed

+34
-2
lines changed

src/Symfony/Component/Security/Http/Authentication/DefaultAuthenticationFailureHandler.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
7373
$options = $this->options;
7474
$failureUrl = ParameterBagUtils::getRequestParameterValue($request, $options['failure_path_parameter']);
7575

76-
if (\is_string($failureUrl) && str_starts_with($failureUrl, '/')) {
76+
if (\is_string($failureUrl) && (str_starts_with($failureUrl, '/') || str_starts_with($failureUrl, 'http'))) {
7777
$options['failure_path'] = $failureUrl;
7878
} elseif ($this->logger && $failureUrl) {
7979
$this->logger->debug(sprintf('Ignoring query parameter "%s": not a valid URL.', $options['failure_path_parameter']));

src/Symfony/Component/Security/Http/Authentication/DefaultAuthenticationSuccessHandler.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -107,7 +107,7 @@ protected function determineTargetUrl(Request $request)
107107

108108
$targetUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['target_path_parameter']);
109109

110-
if (\is_string($targetUrl) && str_starts_with($targetUrl, '/')) {
110+
if (\is_string($targetUrl) && (str_starts_with($targetUrl, '/') || str_starts_with($targetUrl, 'http'))) {
111111
return $targetUrl;
112112
}
113113

src/Symfony/Component/Security/Http/Tests/Authentication/DefaultAuthenticationFailureHandlerTest.php

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -207,6 +207,21 @@ public function testFailurePathFromRequestWithInvalidUrl()
207207
$handler->onAuthenticationFailure($this->request, $this->exception);
208208
}
209209

210+
public function testAbsoluteUrlRedirectionFromRequest()
211+
{
212+
$options = ['failure_path_parameter' => '_my_failure_path'];
213+
214+
$this->request->expects($this->once())
215+
->method('get')->with('_my_failure_path')
216+
->willReturn('https://localhost/some-path');
217+
218+
$this->httpUtils->expects($this->once())
219+
->method('createRedirectResponse')->with($this->request, 'https://localhost/some-path');
220+
221+
$handler = new DefaultAuthenticationFailureHandler($this->httpKernel, $this->httpUtils, $options, $this->logger);
222+
$handler->onAuthenticationFailure($this->request, $this->exception);
223+
}
224+
210225
private function getRequest()
211226
{
212227
$request = $this->createMock(Request::class);

src/Symfony/Component/Security/Http/Tests/Authentication/DefaultAuthenticationSuccessHandlerTest.php

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -135,4 +135,21 @@ public function testTargetPathFromRequestWithInvalidUrl()
135135

136136
$handler->onAuthenticationSuccess($request, $token);
137137
}
138+
139+
public function testTargetPathWithAbsoluteUrlFromRequest()
140+
{
141+
$options = ['target_path_parameter' => '_my_target_path'];
142+
143+
$request = $this->createMock(Request::class);
144+
$request->expects($this->once())
145+
->method('get')->with('_my_target_path')
146+
->willReturn('https://localhost/some-path');
147+
148+
$httpUtils = $this->createMock(HttpUtils::class);
149+
$httpUtils->expects($this->once())
150+
->method('createRedirectResponse')->with($request, 'https://localhost/some-path');
151+
152+
$handler = new DefaultAuthenticationSuccessHandler($httpUtils, $options);
153+
$handler->onAuthenticationSuccess($request, $this->createMock(TokenInterface::class));
154+
}
138155
}

0 commit comments

Comments
 (0)
0