Merge branch '6.0' into 6.1

* 6.0: [HttpKernel] Fix test sensitivity on xdebug.file_link_format [HttpKernel] Fix non-scalar check in surrogate fragment renderer [Debug][ErrorHandler] fix operator precedence [Cache] Ensured that redis adapter can use multiple redis sentinel hosts [DoctrineBridge] fix tests [Security] Allow redirect after login to absolute URLs
symfony · Jul 29, 2022 · 941b4e6 · 941b4e6
2 parents fe431e0 + 8229009
commit 941b4e6
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 2 deletions.
diff --git a/Authentication/DefaultAuthenticationFailureHandler.php b/Authentication/DefaultAuthenticationFailureHandler.php
@@ -72,7 +72,7 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
         $options = $this->options;
         $failureUrl = ParameterBagUtils::getRequestParameterValue($request, $options['failure_path_parameter']);
 
-        if (\is_string($failureUrl) && str_starts_with($failureUrl, '/')) {
+        if (\is_string($failureUrl) && (str_starts_with($failureUrl, '/') || str_starts_with($failureUrl, 'http'))) {
             $options['failure_path'] = $failureUrl;
         } elseif ($this->logger && $failureUrl) {
             $this->logger->debug(sprintf('Ignoring query parameter "%s": not a valid URL.', $options['failure_path_parameter']));

diff --git a/Authentication/DefaultAuthenticationSuccessHandler.php b/Authentication/DefaultAuthenticationSuccessHandler.php
@@ -94,7 +94,7 @@ protected function determineTargetUrl(Request $request): string
 
         $targetUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['target_path_parameter']);
 
-        if (\is_string($targetUrl) && str_starts_with($targetUrl, '/')) {
+        if (\is_string($targetUrl) && (str_starts_with($targetUrl, '/') || str_starts_with($targetUrl, 'http'))) {
             return $targetUrl;
         }
 

diff --git a/Tests/Authentication/DefaultAuthenticationFailureHandlerTest.php b/Tests/Authentication/DefaultAuthenticationFailureHandlerTest.php
@@ -207,6 +207,21 @@ public function testFailurePathFromRequestWithInvalidUrl()
         $handler->onAuthenticationFailure($this->request, $this->exception);
     }
 
+    public function testAbsoluteUrlRedirectionFromRequest()
+    {
+        $options = ['failure_path_parameter' => '_my_failure_path'];
+
+        $this->request->expects($this->once())
+            ->method('get')->with('_my_failure_path')
+            ->willReturn('https://localhost/some-path');
+
+        $this->httpUtils->expects($this->once())
+            ->method('createRedirectResponse')->with($this->request, 'https://localhost/some-path');
+
+        $handler = new DefaultAuthenticationFailureHandler($this->httpKernel, $this->httpUtils, $options, $this->logger);
+        $handler->onAuthenticationFailure($this->request, $this->exception);
+    }
+
     private function getRequest()
     {
         $request = $this->createMock(Request::class);

diff --git a/Tests/Authentication/DefaultAuthenticationSuccessHandlerTest.php b/Tests/Authentication/DefaultAuthenticationSuccessHandlerTest.php
@@ -135,4 +135,21 @@ public function testTargetPathFromRequestWithInvalidUrl()
 
         $handler->onAuthenticationSuccess($request, $token);
     }
+
+    public function testTargetPathWithAbsoluteUrlFromRequest()
+    {
+        $options = ['target_path_parameter' => '_my_target_path'];
+
+        $request = $this->createMock(Request::class);
+        $request->expects($this->once())
+            ->method('get')->with('_my_target_path')
+            ->willReturn('https://localhost/some-path');
+
+        $httpUtils = $this->createMock(HttpUtils::class);
+        $httpUtils->expects($this->once())
+            ->method('createRedirectResponse')->with($request, 'https://localhost/some-path');
+
+        $handler = new DefaultAuthenticationSuccessHandler($httpUtils, $options);
+        $handler->onAuthenticationSuccess($request, $this->createMock(TokenInterface::class));
+    }
 }