bug #14593 [Security][Firewall] Avoid redirection to XHR URIs (asiragusa)
This PR was submitted for the 2.7 branch but it was merged into the 2.3 branch instead (closes #14593).
Discussion
----------
[Security][Firewall] Avoid redirection to XHR URIs
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
If `security.firewalls.main.form_login.always_use_default_target_path` is false, an user could be redirected to an URL called by an AJAX request after the login.
Commits
-------
9ee74ea
Avoid redirection to XHR URIs
This commit is contained in:
commit
7a4fdf7e67
@ -194,7 +194,7 @@ class ExceptionListener
|
||||
protected function setTargetPath(Request $request)
|
||||
{
|
||||
// session isn't required when using HTTP basic authentication mechanism for example
|
||||
if ($request->hasSession() && $request->isMethodSafe()) {
|
||||
if ($request->hasSession() && $request->isMethodSafe() && !$request->isXmlHttpRequest()) {
|
||||
$request->getSession()->set('_security.'.$this->providerKey.'.target_path', $request->getUri());
|
||||
}
|
||||
}
|
||||
|
Reference in New Issue
Block a user