Only allow relative urls for auth redirects

leepeuker · Oct 5, 2023 · 56d9cc8 · 56d9cc8
1 parent a3180ee
commit 56d9cc8
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/src/HttpController/Web/AuthenticationController.php b/src/HttpController/Web/AuthenticationController.php
@@ -39,10 +39,19 @@ public function login(Request $request) : Response
         }
         $redirect = $postParameters['redirect'];
         $target = $redirect ?? $_SERVER['HTTP_REFERER'];
+
+        $urlParts = parse_url($target);
+        if (is_array($urlParts) === false) {
+            $urlParts = ['path' => '/'];
+        }
+
+        /* @phpstan-ignore-next-line */
+        $targetRelativeUrl = $urlParts['path'] . $urlParts['query'] ?? '';
+
         return Response::create(
             StatusCode::createSeeOther(),
             null,
-            [Header::createLocation($target)],
+            [Header::createLocation($targetRelativeUrl)],
         );
     }