You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would suggest to add an check if the hostname (if one is available) in the redirect url matches the current one or add an possible allow list for users who needed different domains.
Something like
$host = \parse_url($redirect->getTargetUrl(), \PHP_URL_HOST);
if ($host === null || $host === $request->getHost()) {
returnnewRedirectResponse($redirect);
}
thrownew \InvalidArgumentException('Redirect target host must be the same as the request host.');
The text was updated successfully, but these errors were encountered:
Hello,
the ?_redirect= Parameter supports "https:///evil.host" as parameter and redirects to this host.
This could be a possible security issue. https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
I would suggest to add an check if the hostname (if one is available) in the redirect url matches the current one or add an possible allow list for users who needed different domains.
Something like
The text was updated successfully, but these errors were encountered: