-
-
Notifications
You must be signed in to change notification settings - Fork 9.7k
Description
Symfony version(s) affected: 5.3.x and I guess 4.4.x
Description
When using _target_path
in a login, if the value is a non-existing route it throws a Symfony\Component\Routing\Exception\ RouteNotFoundException
.
How to reproduce
In a login form allowing _target_path
, modify the value to send a value which is not a route and neither starts with http
.
Possible Solution
I guess if the value is not starting with http
, it could be checked if it's an existing route and if not set the $path
to /
in
symfony/src/Symfony/Component/Security/Http/HttpUtils.php
Lines 61 to 70 in 732acf5
public function createRedirectResponse(Request $request, string $path, int $status = 302) | |
{ | |
if (null !== $this->secureDomainRegexp && 'https' === $this->urlMatcher->getContext()->getScheme() && preg_match('#^https?:[/\\\\]{2,}+[^/]++#i', $path, $host) && !preg_match(sprintf($this->secureDomainRegexp, preg_quote($request->getHttpHost())), $host[0])) { | |
$path = '/'; | |
} | |
if (null !== $this->domainRegexp && preg_match('#^https?:[/\\\\]{2,}+[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) { | |
$path = '/'; | |
} | |
return new RedirectResponse($this->generateUri($request, $path), $status); |
or catch the RouteNotFoundException
and redirect to /
maybe.
Additional context
I came across this when someone tried to set _target_path
to <script>something</script>
(which does nothing because it's just used as a key from an array).