Skip to content

[Security] Do not throw exception for a non-existing route defined in _target_path when login #43567

New issue
New issue
Closed
Closed
[Security] Do not throw exception for a non-existing route defined in _target_path when login#43567
Labels
BugKeep openSecurityStatus: Needs Review
@franmomu

Description

@franmomu
franmomu
opened on Oct 18, 2021

Symfony version(s) affected: 5.3.x and I guess 4.4.x

Description

When using _target_path in a login, if the value is a non-existing route it throws a Symfony\Component\Routing\Exception\ RouteNotFoundException.

How to reproduce
In a login form allowing _target_path, modify the value to send a value which is not a route and neither starts with http.

Possible Solution
I guess if the value is not starting with http, it could be checked if it's an existing route and if not set the $path to / in

symfony/src/Symfony/Component/Security/Http/HttpUtils.php

Lines 61 to 70 in 732acf5

public function createRedirectResponse(Request $request, string $path, int $status = 302)
{
if (null !== $this->secureDomainRegexp && 'https' === $this->urlMatcher->getContext()->getScheme() && preg_match('#^https?:[/\\\\]{2,}+[^/]++#i', $path, $host) && !preg_match(sprintf($this->secureDomainRegexp, preg_quote($request->getHttpHost())), $host[0])) {
$path = '/';
}
if (null !== $this->domainRegexp && preg_match('#^https?:[/\\\\]{2,}+[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) {
$path = '/';
}
return new RedirectResponse($this->generateUri($request, $path), $status);

or catch the RouteNotFoundException and redirect to / maybe.

Additional context

image

I came across this when someone tried to set _target_path to <script>something</script> (which does nothing because it's just used as a key from an array).

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugKeep openSecurityStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions