Symfony version(s) affected

4.4.42

Description

By fixing bug #46317 a new bug was introduced. If a _target_path starts with 'http' or 'https' it gets dropped and the default location is returned. Using the Referer should still work.

How to reproduce

In a login form allowing _target_path, modify the value to send a value which starts with http or https.

Possible Solution

Simply modify the check to see, if it is a valid URL. Something like this could work:

if (\is_string($targetUrl) && (str_starts_with($targetUrl, '/') || filter_var($url, FILTER_VALIDATE_URL) )) {
    return $targetUrl;
}

Additional Context

No response