From 321054332da5138867664196e7f6116ac20e0d4f Mon Sep 17 00:00:00 2001 From: matlec Date: Fri, 17 Oct 2025 11:08:59 +0200 Subject: [PATCH] =?UTF-8?q?[Security]=20Fix=20`HttpUtils::createRequest()`?= =?UTF-8?q?=20when=20the=20context=E2=80=99s=20base=20URL=20isn=E2=80=99t?= =?UTF-8?q?=20empty?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Component/Security/Http/HttpUtils.php | 18 ++++++++++++--- .../Security/Http/Tests/HttpUtilsTest.php | 23 ++++++++++++++++++- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/src/Symfony/Component/Security/Http/HttpUtils.php b/src/Symfony/Component/Security/Http/HttpUtils.php index af0c732fd03d6..8cdc8806b6828 100644 --- a/src/Symfony/Component/Security/Http/HttpUtils.php +++ b/src/Symfony/Component/Security/Http/HttpUtils.php @@ -73,9 +73,21 @@ public function createRequest(Request $request, string $path): Request if ($trustedProxies = Request::getTrustedProxies()) { Request::setTrustedProxies([], Request::getTrustedHeaderSet()); } - $newRequest = Request::create($this->generateUri($request, $path), 'get', [], $request->cookies->all(), [], $request->server->all()); - if ($trustedProxies) { - Request::setTrustedProxies($trustedProxies, Request::getTrustedHeaderSet()); + + $context = $this->urlGenerator?->getContext(); + if ($baseUrl = $context?->getBaseUrl()) { + $context->setBaseUrl(''); + } + + try { + $newRequest = Request::create($this->generateUri($request, $path), 'get', [], $request->cookies->all(), [], $request->server->all()); + } finally { + if ($trustedProxies) { + Request::setTrustedProxies($trustedProxies, Request::getTrustedHeaderSet()); + } + if ($baseUrl) { + $context->setBaseUrl($baseUrl); + } } static $setSession; diff --git a/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php b/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php index c042b02c9ad5f..17cf30722751a 100644 --- a/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php +++ b/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php @@ -16,10 +16,13 @@ use Symfony\Component\HttpFoundation\Session\SessionInterface; use Symfony\Component\Routing\Exception\MethodNotAllowedException; use Symfony\Component\Routing\Exception\ResourceNotFoundException; +use Symfony\Component\Routing\Generator\UrlGenerator; use Symfony\Component\Routing\Generator\UrlGeneratorInterface; use Symfony\Component\Routing\Matcher\RequestMatcherInterface; use Symfony\Component\Routing\Matcher\UrlMatcherInterface; use Symfony\Component\Routing\RequestContext; +use Symfony\Component\Routing\Route; +use Symfony\Component\Routing\RouteCollection; use Symfony\Component\Security\Http\HttpUtils; use Symfony\Component\Security\Http\SecurityRequestAttributes; @@ -233,7 +236,7 @@ public static function provideSecurityRequestAttributes() ]; } - public function testCreateRequestHandlesTrustedHeaders() + public function testCreateRequestFromPathHandlesTrustedHeaders() { Request::setTrustedProxies(['127.0.0.1'], Request::HEADER_X_FORWARDED_PREFIX); @@ -243,6 +246,24 @@ public function testCreateRequestHandlesTrustedHeaders() ); } + public function testCreateRequestFromRouteHandlesTrustedHeaders() + { + Request::setTrustedProxies(['127.0.0.1'], Request::HEADER_X_FORWARDED_PREFIX); + + $request = Request::create('/', server: ['HTTP_X_FORWARDED_PREFIX' => '/foo']); + + $urlGenerator = new UrlGenerator( + $routeCollection = new RouteCollection(), + (new RequestContext())->fromRequest($request), + ); + $routeCollection->add('root', new Route('/')); + + $this->assertSame( + 'http://localhost/foo/', + (new HttpUtils($urlGenerator))->createRequest($request, 'root')->getUri(), + ); + } + public function testCheckRequestPath() { $utils = new HttpUtils($this->getUrlGenerator());