public function RedirectResponseSubscriber::sanitizeDestination in Zircon Profile 8.0
Same name and namespace in other branches
- 8 core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination()
Sanitize the destination parameter to prevent open redirect attacks.
Parameters
\Symfony\Component\HttpKernel\Event\GetResponseEvent $event: The Event to process.
File
- core/
lib/ Drupal/ Core/ EventSubscriber/ RedirectResponseSubscriber.php, line 143 - Contains \Drupal\Core\EventSubscriber\RedirectResponseSubscriber.
Class
- RedirectResponseSubscriber
- Allows manipulation of the response object when performing a redirect.
Namespace
Drupal\Core\EventSubscriberCode
public function sanitizeDestination(GetResponseEvent $event) {
$request = $event
->getRequest();
// Sanitize the destination parameter (which is often used for redirects) to
// prevent open redirect attacks leading to other domains. Sanitize both
// $_GET['destination'] and $_REQUEST['destination'] to protect code that
// relies on either, but do not sanitize $_POST to avoid interfering with
// unrelated form submissions. The sanitization happens here because
// url_is_external() requires the variable system to be available.
$query_info = $request->query;
$request_info = $request->request;
if ($query_info
->has('destination') || $request_info
->has('destination')) {
// If the destination is an external URL, remove it.
if ($query_info
->has('destination') && UrlHelper::isExternal($query_info
->get('destination'))) {
$query_info
->remove('destination');
$request_info
->remove('destination');
}
// If there's still something in $_REQUEST['destination'] that didn't come
// from $_GET, check it too.
if ($request_info
->has('destination') && (!$query_info
->has('destination') || $request_info
->get('destination') != $query_info
->get('destination')) && UrlHelper::isExternal($request_info
->get('destination'))) {
$request_info
->remove('destination');
}
}
}