Home Explore Help
Sign In
bachir
/
edlp_d8
1
0
Fork 0
Files Issues 8 Pull Requests 0 Wiki
Tree: 07a138cfe6
Branches Tags
edlp_d8
/
core
/
lib
/
Drupal
/
Core
/
EventSubscriber
/
RedirectResponseSubscriber.php

RedirectResponseSubscriber.php 7.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174 
  1. <?php
    2. 

  2. 

  3. namespace Drupal\Core\EventSubscriber;
    4. 

  4. 

  5. use Drupal\Component\HttpFoundation\SecuredRedirectResponse;
    6. 

  6. use Drupal\Component\Utility\UrlHelper;
    7. 

  7. use Drupal\Core\Routing\LocalRedirectResponse;
    8. 

  8. use Drupal\Core\Routing\RequestContext;
    9. 

  9. use Drupal\Core\Utility\UnroutedUrlAssemblerInterface;
    10. 

  10. use Symfony\Component\HttpFoundation\Response;
    11. 

  11. use Symfony\Component\HttpKernel\Event\GetResponseEvent;
    12. 

  12. use Symfony\Component\HttpKernel\KernelEvents;
    13. 

  13. use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
    14. 

  14. use Symfony\Component\HttpFoundation\RedirectResponse;
    15. 

  15. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
    16. 

  16. 

  17. /**
    18. 

  18.  * Allows manipulation of the response object when performing a redirect.
    19. 

  19.  */
    20. 

  20. class RedirectResponseSubscriber implements EventSubscriberInterface {
    21. 

  21. 

  22.   /**
    23. 

  23.    * The unrouted URL assembler service.
    24. 

  24.    *
    25. 

  25.    * @var \Drupal\Core\Utility\UnroutedUrlAssemblerInterface
    26. 

  26.    */
    27. 

  27.   protected $unroutedUrlAssembler;
    28. 

  28. 

  29.   /**
    30. 

  30.    * Constructs a RedirectResponseSubscriber object.
    31. 

  31.    *
    32. 

  32.    * @param \Drupal\Core\Utility\UnroutedUrlAssemblerInterface $url_assembler
    33. 

  33.    *   The unrouted URL assembler service.
    34. 

  34.    * @param \Drupal\Core\Routing\RequestContext $request_context
    35. 

  35.    *   The request context.
    36. 

  36.    */
    37. 

  37.   public function __construct(UnroutedUrlAssemblerInterface $url_assembler, RequestContext $request_context) {
    38. 

  38.     $this->unroutedUrlAssembler = $url_assembler;
    39. 

  39.     $this->requestContext = $request_context;
    40. 

  40.   }
    41. 

  41. 

  42.   /**
    43. 

  43.    * Allows manipulation of the response object when performing a redirect.
    44. 

  44.    *
    45. 

  45.    * @param \Symfony\Component\HttpKernel\Event\FilterResponseEvent $event
    46. 

  46.    *   The Event to process.
    47. 

  47.    */
    48. 

  48.   public function checkRedirectUrl(FilterResponseEvent $event) {
    49. 

  49.     $response = $event->getResponse();
    50. 

  50.     if ($response instanceof RedirectResponse) {
    51. 

  51.       $request = $event->getRequest();
    52. 

  52. 

  53.       // Let the 'destination' query parameter override the redirect target.
    54. 

  54.       // If $response is already a SecuredRedirectResponse, it might reject the
    55. 

  55.       // new target as invalid, in which case proceed with the old target.
    56. 

  56.       $destination = $request->query->get('destination');
    57. 

  57.       if ($destination) {
    58. 

  58.         // The 'Location' HTTP header must always be absolute.
    59. 

  59.         $destination = $this->getDestinationAsAbsoluteUrl($destination, $request->getSchemeAndHttpHost());
    60. 

  60.         try {
    61. 

  61.           $response->setTargetUrl($destination);
    62. 

  62.         }
    63. 

  63.         catch (\InvalidArgumentException $e) {
    64. 

  64.         }
    65. 

  65.       }
    66. 

  66. 

  67.       // Regardless of whether the target is the original one or the overridden
    68. 

  68.       // destination, ensure that all redirects are safe.
    69. 

  69.       if (!($response instanceof SecuredRedirectResponse)) {
    70. 

  70.         try {
    71. 

  71.           // SecuredRedirectResponse is an abstract class that requires a
    72. 

  72.           // concrete implementation. Default to LocalRedirectResponse, which
    73. 

  73.           // considers only redirects to within the same site as safe.
    74. 

  74.           $safe_response = LocalRedirectResponse::createFromRedirectResponse($response);
    75. 

  75.           $safe_response->setRequestContext($this->requestContext);
    76. 

  76.         }
    77. 

  77.         catch (\InvalidArgumentException $e) {
    78. 

  78.           // If the above failed, it's because the redirect target wasn't
    79. 

  79.           // local. Do not follow that redirect. Display an error message
    80. 

  80.           // instead. We're already catching one exception, so trigger_error()
    81. 

  81.           // rather than throw another one.
    82. 

  82.           // We don't throw an exception, because this is a client error rather than a
    83. 

  83.           // server error.
    84. 

  84.           $message = 'Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it.';
    85. 

  85.           trigger_error($message, E_USER_ERROR);
    86. 

  86.           $safe_response = new Response($message, 400);
    87. 

  87.         }
    88. 

  88.         $event->setResponse($safe_response);
    89. 

  89.       }
    90. 

  90.     }
    91. 

  91.   }
    92. 

  92. 

  93.   /**
    94. 

  94.    * Converts the passed in destination into an absolute URL.
    95. 

  95.    *
    96. 

  96.    * @param string $destination
    97. 

  97.    *   The path for the destination. In case it starts with a slash it should
    98. 

  98.    *   have the base path included already.
    99. 

  99.    * @param string $scheme_and_host
    100. 

  100.    *   The scheme and host string of the current request.
    101. 

  101.    *
    102. 

  102.    * @return string
    103. 

  103.    *   The destination as absolute URL.
    104. 

  104.    */
    105. 

  105.   protected function getDestinationAsAbsoluteUrl($destination, $scheme_and_host) {
    106. 

  106.     if (!UrlHelper::isExternal($destination)) {
    107. 

  107.       // The destination query parameter can be a relative URL in the sense of
    108. 

  108.       // not including the scheme and host, but its path is expected to be
    109. 

  109.       // absolute (start with a '/'). For such a case, prepend the scheme and
    110. 

  110.       // host, because the 'Location' header must be absolute.
    111. 

  111.       if (strpos($destination, '/') === 0) {
    112. 

  112.         $destination = $scheme_and_host . $destination;
    113. 

  113.       }
    114. 

  114.       else {
    115. 

  115.         // Legacy destination query parameters can be internal paths that have
    116. 

  116.         // not yet been converted to URLs.
    117. 

  117.         $destination = UrlHelper::parse($destination);
    118. 

  118.         $uri = 'base:' . $destination['path'];
    119. 

  119.         $options = [
    120. 

  120.           'query' => $destination['query'],
    121. 

  121.           'fragment' => $destination['fragment'],
    122. 

  122.           'absolute' => TRUE,
    123. 

  123.         ];
    124. 

  124.         // Treat this as if it's user input of a path relative to the site's
    125. 

  125.         // base URL.
    126. 

  126.         $destination = $this->unroutedUrlAssembler->assemble($uri, $options);
    127. 

  127.       }
    128. 

  128.     }
    129. 

  129.     return $destination;
    130. 

  130.   }
    131. 

  131. 

  132.   /**
    133. 

  133.    * Sanitize the destination parameter to prevent open redirect attacks.
    134. 

  134.    *
    135. 

  135.    * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event
    136. 

  136.    *   The Event to process.
    137. 

  137.    */
    138. 

  138.   public function sanitizeDestination(GetResponseEvent $event) {
    139. 

  139.     $request = $event->getRequest();
    140. 

  140.     // Sanitize the destination parameter (which is often used for redirects) to
    141. 

  141.     // prevent open redirect attacks leading to other domains. Sanitize both
    142. 

  142.     // $_GET['destination'] and $_REQUEST['destination'] to protect code that
    143. 

  143.     // relies on either, but do not sanitize $_POST to avoid interfering with
    144. 

  144.     // unrelated form submissions. The sanitization happens here because
    145. 

  145.     // url_is_external() requires the variable system to be available.
    146. 

  146.     $query_info = $request->query;
    147. 

  147.     $request_info = $request->request;
    148. 

  148.     if ($query_info->has('destination') || $request_info->has('destination')) {
    149. 

  149.       // If the destination is an external URL, remove it.
    150. 

  150.       if ($query_info->has('destination') && UrlHelper::isExternal($query_info->get('destination'))) {
    151. 

  151.         $query_info->remove('destination');
    152. 

  152.         $request_info->remove('destination');
    153. 

  153.       }
    154. 

  154.       // If there's still something in $_REQUEST['destination'] that didn't come
    155. 

  155.       // from $_GET, check it too.
    156. 

  156.       if ($request_info->has('destination') && (!$query_info->has('destination') || $request_info->get('destination') != $query_info->get('destination')) && UrlHelper::isExternal($request_info->get('destination'))) {
    157. 

  157.         $request_info->remove('destination');
    158. 

  158.       }
    159. 

  159.     }
    160. 

  160.   }
    161. 

  161. 

  162.   /**
    163. 

  163.    * Registers the methods in this class that should be listeners.
    164. 

  164.    *
    165. 

  165.    * @return array
    166. 

  166.    *   An array of event listener definitions.
    167. 

  167.    */
    168. 

  168.   public static function getSubscribedEvents() {
    169. 

  169.     $events[KernelEvents::RESPONSE][] = ['checkRedirectUrl'];
    170. 

  170.     $events[KernelEvents::REQUEST][] = ['sanitizeDestination', 100];
    171. 

  171.     return $events;
    172. 

  172.   }
    173. 

  173. 

  174. }
    175.