RedirectUrlValidator.php

Go to the documentation of this file.

<?php
 
declare(strict_types=1);
 
/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */
 
namespace ‪TYPO3\CMS\FrontendLogin\Validation;
 
use Psr\Log\LoggerAwareInterface;
use Psr\Log\LoggerAwareTrait;
use ‪TYPO3\CMS\Core\Site\SiteFinder;
use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
 
class ‪RedirectUrlValidator implements LoggerAwareInterface
{
    use LoggerAwareTrait;
 
    protected ‪$siteFinder;
 
    public function ‪__construct(?‪SiteFinder ‪$siteFinder)
    {
        $this->siteFinder = ‪$siteFinder ?? GeneralUtility::makeInstance(SiteFinder::class);
    }
 
    public function ‪isValid(string $value): bool
    {
        if ($value === '') {
            return false;
        }
        // Validate the URL
        if ($this->‪isRelativeUrl($value) || $this->‪isInCurrentDomain($value) || $this->‪isInLocalDomain($value)) {
            return true;
        }
        // URL is not allowed
        $this->logger->warning('Url "' . $value . '" was not accepted.');
        return false;
    }
 
    protected function ‪isInCurrentDomain(string $url): bool
    {
        $urlWithoutSchema = preg_replace('#^https?://#', '', $url) ?? '';
        $siteUrlWithoutSchema = preg_replace('#^https?://#', '', GeneralUtility::getIndpEnv('TYPO3_SITE_URL')) ?? '';
        return strpos($urlWithoutSchema . '/', GeneralUtility::getIndpEnv('HTTP_HOST') . '/') === 0
            && strpos($urlWithoutSchema, $siteUrlWithoutSchema) === 0;
    }
 
    protected function ‪isInLocalDomain(string $url): bool
    {
        if (!‪GeneralUtility::isValidUrl($url)) {
            return false;
        }
        $parsedUrl = parse_url($url);
        if ($parsedUrl['scheme'] === 'http' || $parsedUrl['scheme'] === 'https') {
            $host = $parsedUrl['host'];
            foreach ($this->siteFinder->getAllSites() as $site) {
                if ($site->getBase()->getHost() === $host) {
                    return true;
                }
            }
        }
        return false;
    }
 
    protected function ‪isRelativeUrl($url): bool
    {
        $url = GeneralUtility::sanitizeLocalUrl($url);
        if (!empty($url)) {
            $parsedUrl = @parse_url($url);
            if ($parsedUrl !== false && !isset($parsedUrl['scheme']) && !isset($parsedUrl['host'])) {
                // If the relative URL starts with a slash, we need to check if it's within the current site path
                return $parsedUrl['path'][0] !== '/' || GeneralUtility::isFirstPartOfStr($parsedUrl['path'], GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
            }
        }
        return false;
    }
}