public function RedirectResponseSubscriber::sanitizeDestination

public RedirectResponseSubscriber::sanitizeDestination(GetResponseEvent $event)

Sanitize the destination parameter to prevent open redirect attacks.

Parameters

\Symfony\Component\HttpKernel\Event\GetResponseEvent $event: The Event to process.

File

core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php, line 138

Class

RedirectResponseSubscriber

Allows manipulation of the response object when performing a redirect.

Namespace

Drupal\Core\EventSubscriber

Code

public function sanitizeDestination(GetResponseEvent $event) {
  $request = $event->getRequest();
  // Sanitize the destination parameter (which is often used for redirects) to
  // prevent open redirect attacks leading to other domains. Sanitize both
  // $_GET['destination'] and $_REQUEST['destination'] to protect code that
  // relies on either, but do not sanitize $_POST to avoid interfering with
  // unrelated form submissions. The sanitization happens here because
  // url_is_external() requires the variable system to be available.
  $query_info = $request->query;
  $request_info = $request->request;
  if ($query_info->has('destination') || $request_info->has('destination')) {
    // If the destination is an external URL, remove it.
    if ($query_info->has('destination') && UrlHelper::isExternal($query_info->get('destination'))) {
      $query_info->remove('destination');
      $request_info->remove('destination');
    }
    // If there's still something in $_REQUEST['destination'] that didn't come
    // from $_GET, check it too.
    if ($request_info->has('destination') && (!$query_info->has('destination') || $request_info->get('destination') != $query_info->get('destination')) && UrlHelper::isExternal($request_info->get('destination'))) {
      $request_info->remove('destination');
    }
  }
}