Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
security #24995 Validate redirect targets using the session cookie do…
…main (nicolas-grekas) This PR was merged into the 2.7 branch. Discussion ---------- Validate redirect targets using the session cookie domain | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | n/a | License | MIT | Doc PR | n/a <!-- - Bug fixes must be submitted against the lowest branch where they apply (lowest branches are regularly merged to upper ones so they get the fixes too). - Features and deprecations must be submitted against the master branch. - Please fill in this template according to the PR you're about to submit. - Replace this comment by a description of what your PR is solving. --> Commits ------- 52b06f1 [Security] Validate redirect targets using the session cookie domain
- Loading branch information
Showing
5 changed files
with
214 additions
and
1 deletion.
There are no files selected for viewing
40 changes: 40 additions & 0 deletions
40
...ony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
<?php | ||
|
||
/* | ||
* This file is part of the Symfony package. | ||
* | ||
* (c) Fabien Potencier <fabien@symfony.com> | ||
* | ||
* For the full copyright and license information, please view the LICENSE | ||
* file that was distributed with this source code. | ||
*/ | ||
|
||
namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler; | ||
|
||
use Symfony\Component\DependencyInjection\Reference; | ||
use Symfony\Component\DependencyInjection\ContainerBuilder; | ||
use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface; | ||
|
||
/** | ||
* Uses the session domain to restrict allowed redirection targets. | ||
* | ||
* @author Nicolas Grekas <p@tchwork.com> | ||
*/ | ||
class AddSessionDomainConstraintPass implements CompilerPassInterface | ||
{ | ||
/** | ||
* {@inheritdoc} | ||
*/ | ||
public function process(ContainerBuilder $container) | ||
{ | ||
if (!$container->hasParameter('session.storage.options') || !$container->has('security.http_utils')) { | ||
return; | ||
} | ||
|
||
$sessionOptions = $container->getParameter('session.storage.options'); | ||
$domainRegexp = empty($sessionOptions['cookie_domain']) ? '%s' : sprintf('(?:%%s|(?:.+\.)?%s)', preg_quote(trim($sessionOptions['cookie_domain'], '.'))); | ||
$domainRegexp = (empty($sessionOptions['cookie_secure']) ? 'https?://' : 'https://').$domainRegexp; | ||
|
||
$container->findDefinition('security.http_utils')->addArgument(sprintf('{^%s$}i', $domainRegexp)); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
131 changes: 131 additions & 0 deletions
131
.../SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,131 @@ | ||
<?php | ||
|
||
/* | ||
* This file is part of the Symfony package. | ||
* | ||
* (c) Fabien Potencier <fabien@symfony.com> | ||
* | ||
* For the full copyright and license information, please view the LICENSE | ||
* file that was distributed with this source code. | ||
*/ | ||
|
||
namespace Symfony\Bundle\SecurityBundle\Tests\DependencyInjection\Compiler; | ||
|
||
use PHPUnit\Framework\TestCase; | ||
use Symfony\Bundle\FrameworkBundle\DependencyInjection\FrameworkExtension; | ||
use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddSessionDomainConstraintPass; | ||
use Symfony\Bundle\SecurityBundle\DependencyInjection\SecurityExtension; | ||
use Symfony\Component\DependencyInjection\ContainerBuilder; | ||
use Symfony\Component\HttpFoundation\Request; | ||
|
||
class AddSessionDomainConstraintPassTest extends TestCase | ||
{ | ||
public function testSessionCookie() | ||
{ | ||
$container = $this->createContainer(array('cookie_domain' => '.symfony.com.', 'cookie_secure' => true)); | ||
|
||
$utils = $container->get('security.http_utils'); | ||
$request = Request::create('/', 'get'); | ||
|
||
$this->assertTrue($utils->createRedirectResponse($request, 'https://symfony.com/blog')->isRedirect('https://symfony.com/blog')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://www.symfony.com/blog')->isRedirect('https://www.symfony.com/blog')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://localhost/foo')->isRedirect('https://localhost/foo')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://www.localhost/foo')->isRedirect('http://localhost/')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'http://symfony.com/blog')->isRedirect('http://localhost/')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'http://pirate.com/foo')->isRedirect('http://localhost/')); | ||
} | ||
|
||
public function testSessionNoDomain() | ||
{ | ||
$container = $this->createContainer(array('cookie_secure' => true)); | ||
|
||
$utils = $container->get('security.http_utils'); | ||
$request = Request::create('/', 'get'); | ||
|
||
$this->assertTrue($utils->createRedirectResponse($request, 'https://symfony.com/blog')->isRedirect('http://localhost/')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://www.symfony.com/blog')->isRedirect('http://localhost/')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://localhost/foo')->isRedirect('https://localhost/foo')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://www.localhost/foo')->isRedirect('http://localhost/')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'http://symfony.com/blog')->isRedirect('http://localhost/')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'http://pirate.com/foo')->isRedirect('http://localhost/')); | ||
} | ||
|
||
public function testSessionNoSecure() | ||
{ | ||
$container = $this->createContainer(array('cookie_domain' => '.symfony.com.')); | ||
|
||
$utils = $container->get('security.http_utils'); | ||
$request = Request::create('/', 'get'); | ||
|
||
$this->assertTrue($utils->createRedirectResponse($request, 'https://symfony.com/blog')->isRedirect('https://symfony.com/blog')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://www.symfony.com/blog')->isRedirect('https://www.symfony.com/blog')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://localhost/foo')->isRedirect('https://localhost/foo')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://www.localhost/foo')->isRedirect('http://localhost/')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'http://symfony.com/blog')->isRedirect('http://symfony.com/blog')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'http://pirate.com/foo')->isRedirect('http://localhost/')); | ||
} | ||
|
||
public function testSessionNoSecureAndNoDomain() | ||
{ | ||
$container = $this->createContainer(array()); | ||
|
||
$utils = $container->get('security.http_utils'); | ||
$request = Request::create('/', 'get'); | ||
|
||
$this->assertTrue($utils->createRedirectResponse($request, 'https://symfony.com/blog')->isRedirect('http://localhost/')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://www.symfony.com/blog')->isRedirect('http://localhost/')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://localhost/foo')->isRedirect('https://localhost/foo')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'http://localhost/foo')->isRedirect('http://localhost/foo')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://www.localhost/foo')->isRedirect('http://localhost/')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'http://symfony.com/blog')->isRedirect('http://localhost/')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'http://pirate.com/foo')->isRedirect('http://localhost/')); | ||
} | ||
|
||
public function testNoSession() | ||
{ | ||
$container = $this->createContainer(null); | ||
|
||
$utils = $container->get('security.http_utils'); | ||
$request = Request::create('/', 'get'); | ||
|
||
$this->assertTrue($utils->createRedirectResponse($request, 'https://symfony.com/blog')->isRedirect('https://symfony.com/blog')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://www.symfony.com/blog')->isRedirect('https://www.symfony.com/blog')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://localhost/foo')->isRedirect('https://localhost/foo')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'https://www.localhost/foo')->isRedirect('https://www.localhost/foo')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'http://symfony.com/blog')->isRedirect('http://symfony.com/blog')); | ||
$this->assertTrue($utils->createRedirectResponse($request, 'http://pirate.com/foo')->isRedirect('http://pirate.com/foo')); | ||
} | ||
|
||
private function createContainer($sessionStorageOptions) | ||
{ | ||
$container = new ContainerBuilder(); | ||
$container->setParameter('kernel.cache_dir', __DIR__); | ||
$container->setParameter('kernel.charset', 'UTF-8'); | ||
$container->setParameter('kernel.container_class', 'cc'); | ||
$container->setParameter('kernel.debug', true); | ||
$container->setParameter('kernel.root_dir', __DIR__); | ||
$container->setParameter('kernel.secret', __DIR__); | ||
if (null !== $sessionStorageOptions) { | ||
$container->setParameter('session.storage.options', $sessionStorageOptions); | ||
} | ||
$container->setParameter('request_listener.http_port', 80); | ||
$container->setParameter('request_listener.https_port', 443); | ||
|
||
$config = array( | ||
'security' => array( | ||
'providers' => array('some_provider' => array('id' => 'foo')), | ||
'firewalls' => array('some_firewall' => array('security' => false)), | ||
), | ||
); | ||
|
||
$ext = new FrameworkExtension(); | ||
$ext->load(array(), $container); | ||
|
||
$ext = new SecurityExtension(); | ||
$ext->load($config, $container); | ||
|
||
(new AddSessionDomainConstraintPass())->process($container); | ||
|
||
return $container; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters