Merge pull request #93 from SURFnet/bugfix/locale-switch-return-url-s…

…ecurity Prevent attackers from submitting illegal return URLs
OpenConext · Sep 30, 2015 · 1ba8b77 · 1ba8b77
2 parents a863b3b + 9ae8b54
commit 1ba8b77
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/LocaleController.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/LocaleController.php
@@ -30,7 +30,9 @@ public function switchLocaleAction(Request $request)
     {
         $returnUrl = $request->query->get('return-url');
 
-        $domain = $request->getSchemeAndHttpHost();
+        // Return URLs generated by us always include a path (ie. at least a forward slash)
+        // @see https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/Request.php#L878
+        $domain = $request->getSchemeAndHttpHost() . '/';
         if (strpos($returnUrl, $domain) !== 0) {
             $this->get('logger')->error(sprintf(
                 'Identity "%s" used illegal return-url for redirection after changing locale, aborting request',