@@ 82-84 (lines=3) @@ | ||
79 | $redirectTo = $request->getPostParameter('_form_auth_redirect_to'); |
|
80 | ||
81 | // validate the URL |
|
82 | if (false === filter_var($redirectTo, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED | FILTER_FLAG_HOST_REQUIRED | FILTER_FLAG_PATH_REQUIRED)) { |
|
83 | throw new HttpException('invalid redirect_to URL', 400); |
|
84 | } |
|
85 | // extract the "host" part of the URL |
|
86 | if (false === $redirectToHost = parse_url($redirectTo, PHP_URL_HOST)) { |
|
87 | throw new HttpException('invalid redirect_to URL, unable to extract host', 400); |
@@ 171-173 (lines=3) @@ | ||
168 | ||
169 | // XXX we also should enforce HTTPS |
|
170 | $redirectUri = $request->getQueryParameter('redirect_uri'); |
|
171 | if (false === filter_var($redirectUri, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED | FILTER_FLAG_HOST_REQUIRED | FILTER_FLAG_PATH_REQUIRED)) { |
|
172 | throw new HttpException('invalid redirect_uri', 400); |
|
173 | } |
|
174 | if (false !== strpos($redirectUri, '?')) { |
|
175 | throw new HttpException('invalid redirect_uri', 400); |
|
176 | } |