Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] Allow custom scheme to be used as redirection URIs #50552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 13, 2023
Merged

[Security] Allow custom scheme to be used as redirection URIs #50552

merged 1 commit into from
Jul 13, 2023

Conversation

Spomky
Copy link
Contributor

@Spomky Spomky commented Jun 4, 2023
edited by nicolas-grekas
Loading

Q A
Branch? 5.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #50500
License MIT
Doc PR not needed

ping @sdespont and @MatTheCat

This PR aims at fixing the redirection issue where only URLs starting with http are allowed.
With the modified behavior, it is now allowed to use any URL scheme. It will be possible to redirect to android-app://com.google.android.gm/.

In addition, it prevents the redirection to the following URLs:

  • With path traversal e.g. https://example.com/foo/../../.htpasswd
  • With protocol-relative e.g. //malicious.app/foo/bar

@Spomky Spomky requested review from wouterj and chalasr as code owners June 4, 2023 16:19
@carsonbot carsonbot added this to the 5.4 milestone Jun 4, 2023
@Spomky Spomky force-pushed the bugs/httputils-uris branch from ea5dfcf to b6ceb8e Compare June 4, 2023 16:22
@Spomky
Copy link
Contributor Author

Spomky commented Jun 4, 2023

The support for URNs could be removed. It looks like it is not part of the current best practices (see RFC8252); custom scheme like android-app is now prefered.

@carsonbot carsonbot changed the title Allow URL and URN to be used as redirection URIs [Security] Allow URL and URN to be used as redirection URIs Jun 5, 2023
@Spomky Spomky changed the title [Security] Allow URL and URN to be used as redirection URIs [Security] Allow custom scheme to be used as redirection URIs Jun 5, 2023
nicolas-grekas
nicolas-grekas approved these changes Jun 5, 2023
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(don't miss syncing the PR description with latest changes)

@Spomky Spomky force-pushed the bugs/httputils-uris branch 2 times, most recently from ee69421 to 0486a18 Compare June 5, 2023 15:48
chalasr
chalasr requested changes Jun 5, 2023
View reviewed changes
Copy link
Member

@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See stof's review. Also keeping existing tests untouched makes the patch easier to review, which makes me much more confident to merge on security-related topics especially. Please avoid any refactoring if possible :)

@Spomky Spomky changed the title [Security] Allow custom scheme to be used as redirection URIs [Security] Allow custom scheme to be used as redirection URIs and additional security means Jun 6, 2023
@Spomky Spomky force-pushed the bugs/httputils-uris branch 5 times, most recently from 7e2abc6 to df36a1a Compare June 6, 2023 16:04
@Spomky
Copy link
Contributor Author

Spomky commented Jun 6, 2023

Hi @chalasr,

Many thanks for your comment. I restored the previous tests and keep the one I created. Let me know if you agree with the modifications.

Regarding the behavior of paths starting with //, the change is intentional. I took the opportunity of this PR to fix the comment Protocol-relative redirection should not be supported for security reasons. There is now reason for a developer to redirect to such path and could be considered as an open redirect in some situation.
I can revert the change and open another PR if you prefer. At some point, it should be addressed and it seems to be the perfect moment for me.

@nicolas-grekas nicolas-grekas changed the title [Security] Allow custom scheme to be used as redirection URIs and additional security means [Security] Allow custom scheme to be used as redirection URIs Jul 7, 2023
nicolas-grekas
nicolas-grekas approved these changes Jul 7, 2023
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed the part about supposedly security hardening, which are unproven to me and change the behavior.

@Spomky
Copy link
Contributor Author

Spomky commented Jul 7, 2023

Agreed. Let's keep it simple and without any BC.

@nicolas-grekas
Copy link
Member

Thank you @Spomky.

@nicolas-grekas nicolas-grekas merged commit 6eff7f0 into symfony:5.4 Jul 13, 2023
@Spomky Spomky deleted the bugs/httputils-uris branch July 16, 2023 19:58
This was referenced Jul 29, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@stof stof stof left review comments

@chalasr chalasr chalasr requested changes

@wouterj wouterj Awaiting requested review from wouterj

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
5.4
Development

Successfully merging this pull request may close these issues.
5 participants
@Spomky @nicolas-grekas @stof @chalasr @carsonbot