Merge branch '4.13' into 5.3

# Conflicts: # core-bundle/src/Controller/BackendController.php # core-bundle/src/Controller/BackendPreviewController.php # core-bundle/src/Controller/BackendPreviewSwitchController.php # core-bundle/src/Resources/config/routes.yml # core-bundle/src/Resources/contao/library/Contao/Controller.php # core-bundle/tests/Contao/TemplateLoaderTest.php # installation-bundle/src/Controller/InstallationController.php
contao · May 23, 2024 · 862793b · 862793b
2 parents 966532a + 73331f2
commit 862793b
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 15 deletions.
diff --git a/core-bundle/config/routes.yaml b/core-bundle/config/routes.yaml
@@ -11,6 +11,7 @@ contao_backend_redirect:
     path: '%contao.backend.route_prefix%/'
     defaults:
         _scope: backend
+        _store_referrer: false
         _controller: Symfony\Bundle\FrameworkBundle\Controller\RedirectController::redirectAction
         route: contao_backend
         permanent: true
diff --git a/core-bundle/src/Controller/BackendController.php b/core-bundle/src/Controller/BackendController.php
@@ -44,8 +44,8 @@ public function mainAction(): Response
         return $controller->run();
     }
 
-    #[Route('/login', name: 'contao_backend_login')]
-    #[Route('/login-link', name: 'contao_backend_login_link')]
+    #[Route('/login', name: 'contao_backend_login', defaults: ['_store_referer' => false])]
+    #[Route('/login-link', name: 'contao_backend_login_link', defaults: ['_store_referer' => false])]
     public function loginAction(Request $request): Response
     {
         $this->initializeContaoFramework();
@@ -72,13 +72,13 @@ public function loginAction(Request $request): Response
     /**
      * Symfony will un-authenticate the user automatically by calling this route.
      */
-    #[Route('/logout', name: 'contao_backend_logout')]
+    #[Route('/logout', name: 'contao_backend_logout', defaults: ['_store_referer' => false])]
     public function logoutAction(): RedirectResponse
     {
         return $this->redirectToRoute('contao_backend_login');
     }
 
-    #[Route('/password', name: 'contao_backend_password')]
+    #[Route('/password', name: 'contao_backend_password', defaults: ['_store_referer' => false])]
     public function passwordAction(): Response
     {
         $this->initializeContaoFramework();
@@ -88,7 +88,7 @@ public function passwordAction(): Response
         return $controller->run();
     }
 
-    #[Route('/confirm', name: 'contao_backend_confirm')]
+    #[Route('/confirm', name: 'contao_backend_confirm', defaults: ['_store_referer' => false])]
     public function confirmAction(): Response
     {
         $this->initializeContaoFramework();
@@ -98,7 +98,7 @@ public function confirmAction(): Response
         return $controller->run();
     }
 
-    #[Route('/help', name: 'contao_backend_help')]
+    #[Route('/help', name: 'contao_backend_help', defaults: ['_store_referer' => false])]
     public function helpAction(): Response
     {
         $this->initializeContaoFramework();
@@ -108,7 +108,7 @@ public function helpAction(): Response
         return $controller->run();
     }
 
-    #[Route('/popup', name: 'contao_backend_popup')]
+    #[Route('/popup', name: 'contao_backend_popup', defaults: ['_store_referer' => false])]
     public function popupAction(): Response
     {
         $this->initializeContaoFramework();
@@ -118,7 +118,7 @@ public function popupAction(): Response
         return $controller->run();
     }
 
-    #[Route('/alerts', name: 'contao_backend_alerts')]
+    #[Route('/alerts', name: 'contao_backend_alerts', defaults: ['_store_referer' => false])]
     public function alertsAction(): Response
     {
         $this->initializeContaoFramework();
@@ -133,7 +133,7 @@ public function alertsAction(): Response
      * It will determine the current provider URL based on the value, which is usually
      * read dynamically via JavaScript.
      */
-    #[Route('/picker', name: 'contao_backend_picker')]
+    #[Route('/picker', name: 'contao_backend_picker', defaults: ['_store_referer' => false])]
     public function pickerAction(Request $request): RedirectResponse
     {
         $extras = [];
@@ -156,7 +156,7 @@ public function pickerAction(Request $request): RedirectResponse
         return new RedirectResponse($picker->getCurrentUrl());
     }
 
-    #[Route('/{parameters}', name: 'contao_backend_fallback', requirements: ['parameters' => '.*'], priority: -1000)]
+    #[Route('/{parameters}', name: 'contao_backend_fallback', requirements: ['parameters' => '.*'], defaults: ['_store_referer' => false], priority: -1000)]
     public function backendFallback(): Response
     {
         return $this->render(

diff --git a/core-bundle/src/Controller/BackendPreviewController.php b/core-bundle/src/Controller/BackendPreviewController.php
@@ -31,7 +31,7 @@
  * requested front end page while ensuring that the /preview.php entry point is
  * used. When requested, the front end user gets authenticated.
  */
-#[Route('%contao.backend.route_prefix%', defaults: ['_scope' => 'backend', '_allow_preview' => true])]
+#[Route('%contao.backend.route_prefix%/preview', name: 'contao_backend_preview', defaults: ['_scope' => 'backend', '_allow_preview' => true, '_store_referrer' => false])]
 class BackendPreviewController
 {
     public function __construct(
@@ -44,7 +44,6 @@ public function __construct(
     ) {
     }
 
-    #[Route('/preview', name: 'contao_backend_preview')]
     public function __invoke(Request $request): Response
     {
         // Skip the redirect if there is no preview script, otherwise we will end up in

diff --git a/core-bundle/src/Controller/BackendPreviewSwitchController.php b/core-bundle/src/Controller/BackendPreviewSwitchController.php
@@ -37,7 +37,7 @@
  * - Provide the member usernames for the datalist
  * - Process the switch action (i.e. log in a specific front end user)
  */
-#[Route('%contao.backend.route_prefix%', defaults: ['_scope' => 'backend', '_allow_preview' => true])]
+#[Route('%contao.backend.route_prefix%/preview_switch', name: 'contao_backend_switch', defaults: ['_scope' => 'backend', '_allow_preview' => true, '_store_referrer' => false])]
 class BackendPreviewSwitchController
 {
     public function __construct(
@@ -54,7 +54,6 @@ public function __construct(
     ) {
     }
 
-    #[Route('/preview_switch', name: 'contao_backend_switch')]
     public function __invoke(Request $request): Response
     {
         $user = $this->security->getUser();

diff --git a/core-bundle/src/EventListener/CsrfTokenCookieSubscriber.php b/core-bundle/src/EventListener/CsrfTokenCookieSubscriber.php
@@ -120,6 +120,15 @@ private function requiresCsrf(Request $request, Response $response): bool
 
     private function isSessionEmpty(SessionInterface $session): bool
     {
+        foreach (headers_list() as $header) {
+            if (
+                str_starts_with($header, "Set-Cookie: {$session->getName()}=")
+                && !str_starts_with($header, "Set-Cookie: {$session->getName()}=deleted;")
+            ) {
+                return false;
+            }
+        }
+
         if (!$session->isStarted()) {
             return true;
         }

diff --git a/core-bundle/src/EventListener/MakeResponsePrivateListener.php b/core-bundle/src/EventListener/MakeResponsePrivateListener.php
@@ -115,6 +115,15 @@ private function makePrivate(Response $response, string $reason): void
 
     private function isSessionEmpty(SessionInterface $session): bool
     {
+        foreach (headers_list() as $header) {
+            if (
+                str_starts_with($header, "Set-Cookie: {$session->getName()}=")
+                && !str_starts_with($header, "Set-Cookie: {$session->getName()}=deleted;")
+            ) {
+                return false;
+            }
+        }
+
         if (!$session->isStarted()) {
             return true;
         }

diff --git a/core-bundle/src/EventListener/StoreRefererListener.php b/core-bundle/src/EventListener/StoreRefererListener.php
@@ -91,7 +91,8 @@ private function canModifyBackendSession(Request $request): bool
             && !$request->query->has('token')
             && !$request->query->has('state')
             && 'feRedirect' !== $request->query->get('do')
-            && 'contao_backend' === $request->attributes->get('_route')
+            && 'backend' === $request->attributes->get('_scope')
+            && false !== $request->attributes->get('_store_referrer')
             && !$request->isXmlHttpRequest();
     }
 

diff --git a/core-bundle/tests/EventListener/StoreRefererListenerTest.php b/core-bundle/tests/EventListener/StoreRefererListenerTest.php
@@ -246,6 +246,7 @@ public function testDoesNotStoreTheRefererIfTheBackEndSessionCannotBeModified():
         $request->setSession($session);
 
         $request->attributes->set('_scope', ContaoCoreBundle::SCOPE_BACKEND);
+        $request->attributes->set('_store_referrer', false);
 
         $listener = $this->getListener($this->createMock(User::class));
         $listener($this->getResponseEvent($request));