From 9ae8b54b372fd65c2fac6718ca450a69e31b079f Mon Sep 17 00:00:00 2001
From: Reinier Kip <reinier@ibuildings.nl>
Date: Wed, 30 Sep 2015 13:40:39 +0200
Subject: [PATCH] Prevent attackers from submitting illegal return URLs

Before this change, a return URL of https://selfservice.tld@attack.tld
was acceptable, because it started with our app's HTTP scheme and
host.
---
 .../SelfServiceBundle/Controller/LocaleController.php         | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/LocaleController.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/LocaleController.php
index ca4784927..a3c588175 100644
--- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/LocaleController.php
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/LocaleController.php
@@ -30,7 +30,9 @@ public function switchLocaleAction(Request $request)
     {
         $returnUrl = $request->query->get('return-url');
 
-        $domain = $request->getSchemeAndHttpHost();
+        // Return URLs generated by us always include a path (ie. at least a forward slash)
+        // @see https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/Request.php#L878
+        $domain = $request->getSchemeAndHttpHost() . '/';
         if (strpos($returnUrl, $domain) !== 0) {
             $this->get('logger')->error(sprintf(
                 'Identity "%s" used illegal return-url for redirection after changing locale, aborting request',