Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] Allow custom scheme to be used as redirection URIs#50552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
nicolas-grekas merged 1 commit intosymfony:5.4fromSpomky:bugs/httputils-uris
Jul 13, 2023

Conversation

@Spomky
Copy link
Contributor

@SpomkySpomky commentedJun 4, 2023
edited by nicolas-grekas
Loading

QA
Branch?5.4
Bug fix?yes
New feature?no
Deprecations?no
TicketsFix#50500
LicenseMIT
Doc PRnot needed

ping@sdespont and@MatTheCat

This PR aims at fixing the redirection issue where only URLs starting withhttp are allowed.
With the modified behavior, it is now allowed to use any URL scheme. It will be possible to redirect toandroid-app://com.google.android.gm/.

In addition, it prevents the redirection to the following URLs:

  • With path traversal e.g.https://example.com/foo/../../.htpasswd
  • With protocol-relative e.g.//malicious.app/foo/bar

sdespont and MatTheCat reacted with thumbs up emoji
@Spomky
Copy link
ContributorAuthor

The support for URNs could be removed. It looks like it is not part of the current best practices (seeRFC8252); custom scheme likeandroid-app is now prefered.

@carsonbotcarsonbot changed the titleAllow URL and URN to be used as redirection URIs[Security] Allow URL and URN to be used as redirection URIsJun 5, 2023
@SpomkySpomky changed the title[Security] Allow URL and URN to be used as redirection URIs[Security] Allow custom scheme to be used as redirection URIsJun 5, 2023
Copy link
Member

@nicolas-grekasnicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

(don't miss syncing the PR description with latest changes)

Spomky reacted with thumbs up emoji
@SpomkySpomkyforce-pushed thebugs/httputils-uris branch 2 times, most recently fromee69421 to0486a18CompareJune 5, 2023 15:48
Copy link
Member

@chalasrchalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

See stof's review. Also keeping existing tests untouched makes the patch easier to review, which makes me much more confident to merge on security-related topics especially. Please avoid any refactoring if possible :)

@SpomkySpomky changed the title[Security] Allow custom scheme to be used as redirection URIs[Security] Allow custom scheme to be used as redirection URIs and additional security meansJun 6, 2023
@SpomkySpomkyforce-pushed thebugs/httputils-uris branch 5 times, most recently from7e2abc6 todf36a1aCompareJune 6, 2023 16:04
@Spomky
Copy link
ContributorAuthor

Hi@chalasr,

Many thanks for your comment. I restored the previous tests and keep the one I created. Let me know if you agree with the modifications.

Regarding the behavior of paths starting with//, the change is intentional. I took the opportunity of this PR to fix the commentProtocol-relative redirection should not be supported for security reasons. There is now reason for a developer to redirect to such path and could be considered as an open redirect in some situation.
I can revert the change and open another PR if you prefer. At some point, it should be addressed and it seems to be the perfect moment for me.

@nicolas-grekasnicolas-grekas changed the title[Security] Allow custom scheme to be used as redirection URIs and additional security means[Security] Allow custom scheme to be used as redirection URIsJul 7, 2023
Copy link
Member

@nicolas-grekasnicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I removed the part about supposedly security hardening, which are unproven to me and change the behavior.

Spomky reacted with thumbs up emoji
@Spomky
Copy link
ContributorAuthor

Agreed. Let's keep it simple and without any BC.

@nicolas-grekas
Copy link
Member

Thank you@Spomky.

MatTheCat reacted with thumbs up emojiSpomky reacted with hooray emoji

@nicolas-grekasnicolas-grekas merged commit6eff7f0 intosymfony:5.4Jul 13, 2023
@SpomkySpomky deleted the bugs/httputils-uris branchJuly 16, 2023 19:58
This was referencedJul 29, 2023
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@nicolas-grekasnicolas-grekasnicolas-grekas approved these changes

@stofstofstof left review comments

@chalasrchalasrchalasr requested changes

@wouterjwouterjAwaiting requested review from wouterj

Assignees

No one assigned

Projects

None yet

Milestone

5.4

Development

Successfully merging this pull request may close these issues.

5 participants

@Spomky@nicolas-grekas@stof@chalasr@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp