‪TYPO3CMS  ‪main
RedirectUrlValidator.php
Go to the documentation of this file.
1 <?php
2 
3 declare(strict_types=1);
4 
5 /*
6  * This file is part of the TYPO3 CMS project.
7  *
8  * It is free software; you can redistribute it and/or modify it under
9  * the terms of the GNU General Public License, either version 2
10  * of the License, or any later version.
11  *
12  * For the full copyright and license information, please read the
13  * LICENSE.txt file that was distributed with this source code.
14  *
15  * The TYPO3 project - inspiring people to share!
16  */
17 
19 
20 use Psr\Log\LoggerAwareInterface;
21 use Psr\Log\LoggerAwareTrait;
25 
32 class ‪RedirectUrlValidator implements LoggerAwareInterface
33 {
34  use LoggerAwareTrait;
35 
36  public function ‪__construct(protected ‪SiteFinder $siteFinder) {}
37 
41  public function ‪isValid(‪RequestInterface $request, string $value): bool
42  {
43  if ($value === '') {
44  return false;
45  }
46  // Validate the URL
47  if ($this->‪isRelativeUrl($value) || $this->‪isInCurrentDomain($request, $value) || $this->‪isInLocalDomain($value)) {
48  return true;
49  }
50  // URL is not allowed
51  $this->logger->debug('Url "{url}" was not accepted.', ['url' => $value]);
52  return false;
53  }
54 
59  protected function ‪isInCurrentDomain(‪RequestInterface $request, string ‪$url): bool
60  {
61  $urlWithoutSchema = preg_replace('#^https?://#', '', ‪$url) ?? '';
62  $siteUrlWithoutSchema = preg_replace('#^https?://#', '', $request->getAttribute('normalizedParams')->getSiteUrl()) ?? '';
63  // this condition only exists to satisfy phpstan, which complains that this could be an array, too.
64  if (is_array($siteUrlWithoutSchema)) {
65  $siteUrlWithoutSchema = $siteUrlWithoutSchema[0];
66  }
67  return str_starts_with($urlWithoutSchema . '/', $request->getAttribute('normalizedParams')->getHttpHost() . '/')
68  && str_starts_with($urlWithoutSchema, $siteUrlWithoutSchema);
69  }
70 
74  protected function ‪isInLocalDomain(string ‪$url): bool
75  {
77  return false;
78  }
79  $parsedUrl = parse_url(‪$url);
80  if ($parsedUrl['scheme'] === 'http' || $parsedUrl['scheme'] === 'https') {
81  $host = $parsedUrl['host'];
82  foreach ($this->siteFinder->getAllSites() as $site) {
83  if ($site->getBase()->getHost() === $host) {
84  return true;
85  }
86  }
87  }
88  return false;
89  }
90 
94  protected function ‪isRelativeUrl(string ‪$url): bool
95  {
96  ‪$url = GeneralUtility::sanitizeLocalUrl(‪$url);
97  if (!empty(‪$url)) {
98  $parsedUrl = @parse_url(‪$url);
99  if ($parsedUrl !== false && !isset($parsedUrl['scheme']) && !isset($parsedUrl['host'])) {
100  // If the relative URL starts with a slash, we need to check if it's within the current site path
101  return $parsedUrl['path'][0] !== '/' || str_starts_with($parsedUrl['path'], GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
102  }
103  }
104  return false;
105  }
106 }
‪TYPO3\CMS\FrontendLogin\Validation\RedirectUrlValidator\__construct
‪__construct(protected SiteFinder $siteFinder)
Definition: RedirectUrlValidator.php:36
‪TYPO3\CMS\Core\Site\SiteFinder
Definition: SiteFinder.php:31
‪TYPO3\CMS\FrontendLogin\Validation\RedirectUrlValidator\isInLocalDomain
‪isInLocalDomain(string $url)
Definition: RedirectUrlValidator.php:74
‪TYPO3\CMS\FrontendLogin\Validation\RedirectUrlValidator\isValid
‪isValid(RequestInterface $request, string $value)
Definition: RedirectUrlValidator.php:41
‪TYPO3\CMS\Extbase\Mvc\RequestInterface
Definition: RequestInterface.php:24
‪TYPO3\CMS\Webhooks\Message\$url
‪identifier readonly UriInterface $url
Definition: LoginErrorOccurredMessage.php:36
‪TYPO3\CMS\Core\Utility\GeneralUtility\isValidUrl
‪static bool isValidUrl(string $url)
Definition: GeneralUtility.php:708
‪TYPO3\CMS\FrontendLogin\Validation\RedirectUrlValidator\isInCurrentDomain
‪isInCurrentDomain(RequestInterface $request, string $url)
Definition: RedirectUrlValidator.php:59
‪TYPO3\CMS\FrontendLogin\Validation\RedirectUrlValidator
Definition: RedirectUrlValidator.php:33
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:52
‪TYPO3\CMS\FrontendLogin\Validation
Definition: RedirectUrlValidator.php:18
‪TYPO3\CMS\FrontendLogin\Validation\RedirectUrlValidator\isRelativeUrl
‪isRelativeUrl(string $url)
Definition: RedirectUrlValidator.php:94