Skip to content

[Security] Fix login url matching when app is not run with url rewriting or from a sub folder #47317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fabpot merged 1 commit into from
Sep 29, 2022
Merged

[Security] Fix login url matching when app is not run with url rewriting or from a sub folder #47317

fabpot merged 1 commit into from
Sep 29, 2022

Conversation

@sgehrig
Copy link
Contributor

@sgehrig sgehrig commented Aug 18, 2022
edited by nicolas-grekas
Loading

Q A
Branch? 5.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #44893
License MIT
Doc PR not required

Uses the fix suggested by @weaverryan in #44893 (comment). I also added three tests for scenarios which I could replicate from running a simple app on a real webserver (Apache and Nginx). This, however, might not be sufficient because there could be other combinations of server variables like DOCUMENT_ROOT, PHP_SELF, SCRIPT_FILENAME, SCRIPT_NAME and possibly others depending on the server configuration and setup. As long as \Symfony\Component\HttpFoundation\Request::getBaseUrl() and \Symfony\Component\HttpFoundation\Request::getPathInfo() work correctly, I assume that the fix will also be correct in all those constellations.

The fix is based on the assumptions that:

  • \Symfony\Component\HttpFoundation\Request::getBaseUrl() always returns an empty string when the application is run from root without the front controller script in the URL (using URL rewriting for example)
  • \Symfony\Component\HttpFoundation\Request::getBaseUrl() always returns the path from the server root to the application base path (possibly including the front controller script)
  • \Symfony\Component\HttpFoundation\Request::getPathInfo() always returns just the routed part of the request

Please advise if you'd need some more tests.

@carsonbot carsonbot added this to the 5.4 milestone Aug 18, 2022
@sgehrig sgehrig mentioned this pull request Aug 18, 2022
Closed
@sgehrig
Copy link
Contributor Author

sgehrig commented Aug 18, 2022

Not sure about the the CI errors. They don't seem to be related to the fix 🤷‍♂️

@carsonbot carsonbot changed the title [#44893] fixes login url matching [Security] [#44893] fixes login url matching Sep 28, 2022
@nicolas-grekas nicolas-grekas changed the title [Security] [#44893] fixes login url matching [Security] Fix login url matching Sep 28, 2022
@nicolas-grekas nicolas-grekas changed the title [Security] Fix login url matching [Security] Fix login url matching when app is not run with url rewriting or from a sub folder Sep 28, 2022
@fabpot
Copy link
Member

fabpot commented Sep 29, 2022

Thank you @sgehrig.

@fabpot fabpot merged commit 885994e into symfony:5.4 Sep 29, 2022
@fabpot fabpot mentioned this pull request Sep 30, 2022
Merged
@sgehrig
Copy link
Contributor Author

sgehrig commented Sep 30, 2022

@fabpot Is there a reason why this fix has not been merged into 6.0, 6.1, etc.?

@fabpot
Copy link
Member

fabpot commented Oct 1, 2022

This PR was not merged up to 6.0 and 6.1 before the releases. So, it will be part of the next release in about a month.

This was referenced Oct 12, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fabpot fabpot fabpot approved these changes

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@chalasr chalasr chalasr approved these changes

@wouterj wouterj Awaiting requested review from wouterj

Assignees

No one assigned

Labels

Bug Security Status: Reviewed

Projects

None yet

Milestone

5.4

Development

Successfully merging this pull request may close these issues.

5 participants

@sgehrig @fabpot @nicolas-grekas @chalasr @carsonbot