From 9bef4598820d790b5898ee37448ff9a898264f4e Mon Sep 17 00:00:00 2001 From: Yassine Guedidi Date: Thu, 28 Dec 2023 21:26:10 +0100 Subject: [PATCH] Make Redirect helper supports only absolute path reference URLs --- src/Wallabag/CoreBundle/Helper/Redirect.php | 19 ++++++++++++++++--- .../CoreBundle/Helper/RedirectTest.php | 7 +++++++ 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/src/Wallabag/CoreBundle/Helper/Redirect.php b/src/Wallabag/CoreBundle/Helper/Redirect.php index 6bcb64779..dd0a61a6a 100644 --- a/src/Wallabag/CoreBundle/Helper/Redirect.php +++ b/src/Wallabag/CoreBundle/Helper/Redirect.php @@ -2,6 +2,7 @@ namespace Wallabag\CoreBundle\Helper; +use GuzzleHttp\Psr7\Uri; use Symfony\Component\Routing\Generator\UrlGeneratorInterface; use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; use Wallabag\CoreBundle\Entity\Config; @@ -32,6 +33,14 @@ class Redirect $user = $this->tokenStorage->getToken() ? $this->tokenStorage->getToken()->getUser() : null; if (!$user instanceof User) { + if (null === $url) { + return $this->router->generate('homepage'); + } + + if (!Uri::isAbsolutePathReference(new Uri($url))) { + return $this->router->generate('homepage'); + } + return $url; } @@ -40,10 +49,14 @@ class Redirect return $this->router->generate('homepage'); } - if (null !== $url) { - return $url; + if (null === $url) { + return $this->router->generate('homepage'); } - return $this->router->generate('homepage'); + if (!Uri::isAbsolutePathReference(new Uri($url))) { + return $this->router->generate('homepage'); + } + + return $url; } } diff --git a/tests/Wallabag/CoreBundle/Helper/RedirectTest.php b/tests/Wallabag/CoreBundle/Helper/RedirectTest.php index 2b56e8afb..192ef6efd 100644 --- a/tests/Wallabag/CoreBundle/Helper/RedirectTest.php +++ b/tests/Wallabag/CoreBundle/Helper/RedirectTest.php @@ -73,6 +73,13 @@ class RedirectTest extends TestCase $this->assertSame('/unread/list', $redirectUrl); } + public function testRedirectToAbsoluteUrl() + { + $redirectUrl = $this->redirect->to('https://www.google.com/'); + + $this->assertSame('/', $redirectUrl); + } + public function testWithNotLoggedUser() { $redirect = new Redirect($this->routerMock, new TokenStorage());