[12.x] redirect response enforce same origin

src/Illuminate/Http/RedirectResponse.php

@@ -8,6 +8,7 @@
 use Illuminate\Support\Str;
 use Illuminate\Support\Traits\ForwardsCalls;
 use Illuminate\Support\Traits\Macroable;
+use Illuminate\Support\Uri;
 use Illuminate\Support\ViewErrorBag;
 use Symfony\Component\HttpFoundation\File\UploadedFile as SymfonyUploadedFile;
 use Symfony\Component\HttpFoundation\RedirectResponse as BaseRedirectResponse;
@@ -182,6 +183,26 @@ public function withoutFragment()
  return $this->setTargetUrl(Str::before($this->getTargetUrl(), '#'));
  }
 
+ /**
+ * Enforce that the redirect target must have the same host as the current request.
+ */
+ public function enforceSameOrigin(
+ string $fallback,
+ bool $validateScheme = true,
+ bool $validatePort = true,
+ ): static {
+ $target = Uri::of($this->targetUrl);
+ $current = Uri::of($this->request->getSchemeAndHttpHost());
+
+ if ($target->host() !== $current->host() ||
+ ($validateScheme && $target->scheme() !== $current->scheme()) ||
+ ($validatePort && $target->port() !== $current->port())) {
+ $this->setTargetUrl($fallback);
+ }
+
+ return $this;
+ }
+
  /**
  * Get the original response content.
  *

tests/Http/HttpRedirectResponseTest.php

@@ -117,6 +117,69 @@ public function testFlashingErrorsOnRedirect()
  $response->withErrors($provider);
  }
 
+ public function testCanEnforceSameOriginWhenSameOrigin()
+ {
+ $response = new RedirectResponse('https://example.com/foo/bar');
+ $response->setRequest(Request::create('https://example.com/baz/buzz'));
+ $response->enforceSameOrigin('fallback');
+
+ $this->assertSame('https://example.com/foo/bar', $response->getTargetUrl());
+ }
+
+ public function testCanEnforceSameOriginWhenSameOriginAndCustomPort()
+ {
+ $response = new RedirectResponse('https://example.com:1/foo/bar');
+ $response->setRequest(Request::create('https://example.com:1/baz/buzz'));
+ $response->enforceSameOrigin('fallback');
+
+ $this->assertSame('https://example.com:1/foo/bar', $response->getTargetUrl());
+ }
+
+ public function testCanEnforceSameOriginWhenNotSameScheme()
+ {
+ $response = new RedirectResponse('https://example.com/foo/bar');
+ $response->setRequest(Request::create('http://example.com/baz/buzz'));
+ $response->enforceSameOrigin('fallback');
+
+ $this->assertSame('fallback', $response->getTargetUrl());
+ }
+
+ public function testCanEnforceSameOriginWhenNotSameHostname()
+ {
+ $response = new RedirectResponse('https://example.com/foo/bar');
+ $response->setRequest(Request::create('https://example2.com/baz/buzz'));
+ $response->enforceSameOrigin('fallback');
+
+ $this->assertSame('fallback', $response->getTargetUrl());
+ }
+
+ public function testCanEnforceSameOriginWhenNotSamePort()
+ {
+ $response = new RedirectResponse('https://example.com:1/foo/bar');
+ $response->setRequest(Request::create('https://example.com:2/baz/buzz'));
+ $response->enforceSameOrigin('fallback');
+
+ $this->assertSame('fallback', $response->getTargetUrl());
+ }
+
+ public function testCanEnforceSameOriginWhenNotSameSchemeAndSchemeValidationIsDisabled()
+ {
+ $response = new RedirectResponse('https://example.com/foo/bar');
+ $response->setRequest(Request::create('http://example.com/baz/buzz'));
+ $response->enforceSameOrigin('fallback', validateScheme: false);
+
+ $this->assertSame('https://example.com/foo/bar', $response->getTargetUrl());
+ }
+
+ public function testCanEnforceSameOriginWhenNotSamePortAndPortValidationIsDisabled()
+ {
+ $response = new RedirectResponse('https://example.com:1/foo/bar');
+ $response->setRequest(Request::create('https://example.com:2/baz/buzz'));
+ $response->enforceSameOrigin('fallback', validatePort: false);
+
+ $this->assertSame('https://example.com:1/foo/bar', $response->getTargetUrl());
+ }
+
  public function testSettersGettersOnRequest()
  {
  $response = new RedirectResponse('foo.bar');