bug #14593 [Security][Firewall] Avoid redirection to XHR URIs (asiragusa)

This PR was submitted for the 2.7 branch but it was merged into the 2.3 branch instead (closes #14593). Discussion ---------- [Security][Firewall] Avoid redirection to XHR URIs | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | | License | MIT | Doc PR | If `security.firewalls.main.form_login.always_use_default_target_path` is false, an user could be redirected to an URL called by an AJAX request after the login. Commits ------- 9ee74ea Avoid redirection to XHR URIs
2015-05-20 10:40:29 +02:00 · 2015-05-20 10:40:29 +02:00 · 7a4fdf7e67
commit 7a4fdf7e67
parent 75ed3b1a02 9ee74eaef0
1 changed files with 1 additions and 1 deletions
--- a/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
+++ b/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
@ -194,7 +194,7 @@ class ExceptionListener
    protected function setTargetPath(Request $request)
    {
        // session isn't required when using HTTP basic authentication mechanism for example
-        if ($request->hasSession() && $request->isMethodSafe()) {
+        if ($request->hasSession() && $request->isMethodSafe() && !$request->isXmlHttpRequest()) {
            $request->getSession()->set('_security.'.$this->providerKey.'.target_path', $request->getUri());
        }
    }