@@ 54-56 (lines=3) @@ | ||
51 | $redirectTo = $request->getPostParameter('_form_auth_redirect_to'); |
|
52 | ||
53 | // validate the URL |
|
54 | if (false === filter_var($redirectTo, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED | FILTER_FLAG_HOST_REQUIRED | FILTER_FLAG_PATH_REQUIRED)) { |
|
55 | throw new HttpException('invalid redirect_to URL', 400); |
|
56 | } |
|
57 | // extract the "host" part of the URL |
|
58 | if (false === $redirectToHost = parse_url($redirectTo, PHP_URL_HOST)) { |
|
59 | throw new HttpException('invalid redirect_to URL, unable to extract host', 400); |
@@ 159-161 (lines=3) @@ | ||
156 | // XXX we also should enforce HTTPS |
|
157 | $redirectUri = $request->getQueryParameter('redirect_uri'); |
|
158 | // XXX MUST not have "?" |
|
159 | if (false === filter_var($redirectUri, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED | FILTER_FLAG_HOST_REQUIRED | FILTER_FLAG_PATH_REQUIRED)) { |
|
160 | throw new HttpException('invalid redirect_uri', 400); |
|
161 | } |
|
162 | $responseType = $request->getQueryParameter('response_type'); |
|
163 | if ('token' !== $responseType) { |
|
164 | throw new HttpException('invalid response_type', 400); |