[Security\Http] detect bad redirect targets using backslashes
This commit is contained in:
parent
cb8302cb76
commit
99a0cec0a6
|
@ -59,7 +59,7 @@ class HttpUtils
|
|||
*/
|
||||
public function createRedirectResponse(Request $request, $path, $status = 302)
|
||||
{
|
||||
if (null !== $this->domainRegexp && preg_match('#^https?://[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) {
|
||||
if (null !== $this->domainRegexp && preg_match('#^https?:[/\\\\]{2,}+[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) {
|
||||
$path = '/';
|
||||
}
|
||||
|
||||
|
|
|
@ -54,14 +54,28 @@ class HttpUtilsTest extends TestCase
|
|||
$this->assertTrue($response->isRedirect('http://localhost/blog'));
|
||||
}
|
||||
|
||||
public function testCreateRedirectResponseWithBadRequestsDomain()
|
||||
/**
|
||||
* @dataProvider badRequestDomainUrls
|
||||
*/
|
||||
public function testCreateRedirectResponseWithBadRequestsDomain($url)
|
||||
{
|
||||
$utils = new HttpUtils($this->getUrlGenerator(), null, '#^https?://%s$#i');
|
||||
$response = $utils->createRedirectResponse($this->getRequest(), 'http://pirate.net/foo');
|
||||
$response = $utils->createRedirectResponse($this->getRequest(), $url);
|
||||
|
||||
$this->assertTrue($response->isRedirect('http://localhost/'));
|
||||
}
|
||||
|
||||
public function badRequestDomainUrls()
|
||||
{
|
||||
return array(
|
||||
array('http://pirate.net/foo'),
|
||||
array('http:\\\\pirate.net/foo'),
|
||||
array('http:/\\pirate.net/foo'),
|
||||
array('http:\\/pirate.net/foo'),
|
||||
array('http://////pirate.net/foo'),
|
||||
);
|
||||
}
|
||||
|
||||
public function testCreateRedirectResponseWithProtocolRelativeTarget()
|
||||
{
|
||||
$utils = new HttpUtils($this->getUrlGenerator(), null, '#^https?://%s$#i');
|
||||
|
|
Reference in New Issue