AddSessionDomainConstraintPass.php 1.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748
  1. <?php
  2. /*
  3. * This file is part of the Symfony package.
  4. *
  5. * (c) Fabien Potencier <fabien@symfony.com>
  6. *
  7. * For the full copyright and license information, please view the LICENSE
  8. * file that was distributed with this source code.
  9. */
  10. namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler;
  11. use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
  12. use Symfony\Component\DependencyInjection\ContainerBuilder;
  13. /**
  14. * Uses the session domain to restrict allowed redirection targets.
  15. *
  16. * @author Nicolas Grekas <p@tchwork.com>
  17. */
  18. class AddSessionDomainConstraintPass implements CompilerPassInterface
  19. {
  20. /**
  21. * {@inheritdoc}
  22. */
  23. public function process(ContainerBuilder $container)
  24. {
  25. if (!$container->hasParameter('session.storage.options') || !$container->has('security.http_utils')) {
  26. return;
  27. }
  28. $sessionOptions = $container->getParameter('session.storage.options');
  29. $domainRegexp = empty($sessionOptions['cookie_domain']) ? '%%s' : sprintf('(?:%%%%s|(?:.+\.)?%s)', preg_quote(trim($sessionOptions['cookie_domain'], '.')));
  30. if ('auto' === ($sessionOptions['cookie_secure'] ?? null)) {
  31. $secureDomainRegexp = sprintf('{^https://%s$}i', $domainRegexp);
  32. $domainRegexp = 'https?://'.$domainRegexp;
  33. } else {
  34. $secureDomainRegexp = null;
  35. $domainRegexp = (empty($sessionOptions['cookie_secure']) ? 'https?://' : 'https://').$domainRegexp;
  36. }
  37. $container->findDefinition('security.http_utils')
  38. ->addArgument(sprintf('{^%s$}i', $domainRegexp))
  39. ->addArgument($secureDomainRegexp);
  40. }
  41. }