bug #62093 [Security] Fix HttpUtils::createRequest() when the context’s base URL isn’t empty (MatTheCat)

nicolas-grekas · nicolas-grekas · commit 88b0d7fe8a40 · 2025-11-12T14:34:32.000+01:00
This PR was merged into the 6.4 branch. Discussion ---------- [Security] Fix `HttpUtils::createRequest()` when the context’s base URL isn’t empty | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix #61659 (comment) | License | MIT Commits ------- 3210543 [Security] Fix `HttpUtils::createRequest()` when the context’s base URL isn’t empty
diff --git a/src/Symfony/Component/Security/Http/HttpUtils.php b/src/Symfony/Component/Security/Http/HttpUtils.php
@@ -73,9 +73,21 @@ public function createRequest(Request $request, string $path): Request
         if ($trustedProxies = Request::getTrustedProxies()) {
             Request::setTrustedProxies([], Request::getTrustedHeaderSet());
         }
-        $newRequest = Request::create($this->generateUri($request, $path), 'get', [], $request->cookies->all(), [], $request->server->all());
-        if ($trustedProxies) {
-            Request::setTrustedProxies($trustedProxies, Request::getTrustedHeaderSet());
+
+        $context = $this->urlGenerator?->getContext();
+        if ($baseUrl = $context?->getBaseUrl()) {
+            $context->setBaseUrl('');
+        }
+
+        try {
+            $newRequest = Request::create($this->generateUri($request, $path), 'get', [], $request->cookies->all(), [], $request->server->all());
+        } finally {
+            if ($trustedProxies) {
+                Request::setTrustedProxies($trustedProxies, Request::getTrustedHeaderSet());
+            }
+            if ($baseUrl) {
+                $context->setBaseUrl($baseUrl);
+            }
         }
 
         static $setSession;
diff --git a/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php b/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php
@@ -16,10 +16,13 @@
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\Routing\Exception\MethodNotAllowedException;
 use Symfony\Component\Routing\Exception\ResourceNotFoundException;
+use Symfony\Component\Routing\Generator\UrlGenerator;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Symfony\Component\Routing\Matcher\RequestMatcherInterface;
 use Symfony\Component\Routing\Matcher\UrlMatcherInterface;
 use Symfony\Component\Routing\RequestContext;
+use Symfony\Component\Routing\Route;
+use Symfony\Component\Routing\RouteCollection;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\SecurityRequestAttributes;
 
@@ -233,7 +236,7 @@ public static function provideSecurityRequestAttributes()
         ];
     }
 
-    public function testCreateRequestHandlesTrustedHeaders()
+    public function testCreateRequestFromPathHandlesTrustedHeaders()
     {
         Request::setTrustedProxies(['127.0.0.1'], Request::HEADER_X_FORWARDED_PREFIX);
 
@@ -243,6 +246,24 @@ public function testCreateRequestHandlesTrustedHeaders()
         );
     }
 
+    public function testCreateRequestFromRouteHandlesTrustedHeaders()
+    {
+        Request::setTrustedProxies(['127.0.0.1'], Request::HEADER_X_FORWARDED_PREFIX);
+
+        $request = Request::create('/', server: ['HTTP_X_FORWARDED_PREFIX' => '/foo']);
+
+        $urlGenerator = new UrlGenerator(
+            $routeCollection = new RouteCollection(),
+            (new RequestContext())->fromRequest($request),
+        );
+        $routeCollection->add('root', new Route('/'));
+
+        $this->assertSame(
+            'http://localhost/foo/',
+            (new HttpUtils($urlGenerator))->createRequest($request, 'root')->getUri(),
+        );
+    }
+
     public function testCheckRequestPath()
     {
         $utils = new HttpUtils($this->getUrlGenerator());
