bug #24101 [Security] Fix exception when use_referer option is true a…

…nd referer is not set or empty (linniksa) This PR was submitted for the master branch but it was merged into the 2.7 branch instead (closes #24101). Discussion ---------- [Security] Fix exception when use_referer option is true and referer is not set or empty | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | License | MIT Commits ------- a29e069 [Security] Fix exception when use_referer option is true and referer is not set or empty
symfony · Sep 7, 2017 · b6a29a2 · b6a29a2
2 parents d74144f + a29e069
commit b6a29a2
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/src/Symfony/Component/Security/Http/Authentication/DefaultAuthenticationSuccessHandler.php b/src/Symfony/Component/Security/Http/Authentication/DefaultAuthenticationSuccessHandler.php
@@ -118,12 +118,11 @@ protected function determineTargetUrl(Request $request)
             return $targetUrl;
         }
 
-        if ($this->options['use_referer']) {
-            $targetUrl = $request->headers->get('Referer');
+        if ($this->options['use_referer'] && $targetUrl = $request->headers->get('Referer')) {
             if (false !== $pos = strpos($targetUrl, '?')) {
                 $targetUrl = substr($targetUrl, 0, $pos);
             }
-            if ($targetUrl !== $this->httpUtils->generateUri($request, $this->options['login_path'])) {
+            if ($targetUrl && $targetUrl !== $this->httpUtils->generateUri($request, $this->options['login_path'])) {
                 return $targetUrl;
             }
         }

diff --git a/.../Component/Security/Http/Tests/Authentication/DefaultAuthenticationSuccessHandlerTest.php b/.../Component/Security/Http/Tests/Authentication/DefaultAuthenticationSuccessHandlerTest.php
@@ -83,6 +83,16 @@ public function getRequestRedirections()
                 array(),
                 '/',
             ),
+            'target path as referer when referer not set' => array(
+                Request::create('/'),
+                array('use_referer' => true),
+                '/',
+            ),
+            'target path as referer when referer is ?' => array(
+                Request::create('/', 'GET', array(), array(), array(), array('HTTP_REFERER' => '?')),
+                array('use_referer' => true),
+                '/',
+            ),
             'target path should be different than login URL' => array(
                 Request::create('/', 'GET', array(), array(), array(), array('HTTP_REFERER' => 'http://localhost/login')),
                 array('use_referer' => true, 'login_path' => '/login'),