MAGETWO-55605: Security Issue with referrer

Author: balex13

app/code/Magento/Customer/Model/Account/Redirect.php

@@ -9,6 +9,7 @@
 use Magento\Customer\Model\Url as CustomerUrl;
 use Magento\Framework\App\RequestInterface;
 use Magento\Framework\Controller\ResultFactory;
+use Magento\Framework\Url\HostChecker;
 use Magento\Framework\UrlInterface;
 use Magento\Store\Model\ScopeInterface;
 use Magento\Store\Model\StoreManagerInterface;
@@ -53,6 +54,7 @@ class Redirect
     protected $customerUrl;
 
     /**
+     * @deprecated
      * @var UrlInterface
      */
     protected $url;
@@ -67,6 +69,11 @@ class Redirect
      */
     protected $cookieManager;
 
+    /**
+     * @var HostChecker
+     */
+    private $hostChecker;
+
     /**
      * @param RequestInterface $request
      * @param Session $customerSession
@@ -76,6 +83,7 @@ class Redirect
      * @param DecoderInterface $urlDecoder
      * @param CustomerUrl $customerUrl
      * @param ResultFactory $resultFactory
+     * @param HostChecker|null $hostChecker
      */
     public function __construct(
         RequestInterface $request,
@@ -85,7 +93,8 @@ public function __construct(
         UrlInterface $url,
         DecoderInterface $urlDecoder,
         CustomerUrl $customerUrl,
-        ResultFactory $resultFactory
+        ResultFactory $resultFactory,
+        HostChecker $hostChecker = null
     ) {
         $this->request = $request;
         $this->session = $customerSession;
@@ -95,6 +104,7 @@ public function __construct(
         $this->urlDecoder = $urlDecoder;
         $this->customerUrl = $customerUrl;
         $this->resultFactory = $resultFactory;
+        $this->hostChecker = $hostChecker ?: ObjectManager::getInstance()->get(HostChecker::class);
     }
 
     /**
@@ -196,7 +206,7 @@ protected function processLoggedCustomer()
             $referer = $this->request->getParam(CustomerUrl::REFERER_QUERY_PARAM_NAME);
             if ($referer) {
                 $referer = $this->urlDecoder->decode($referer);
-                if ($this->url->isOwnOriginUrl()) {
+                if ($this->hostChecker->isOwnOrigin($referer)) {
                     $this->applyRedirect($referer);
                 }
             }

app/code/Magento/Customer/Model/Url.php

@@ -56,25 +56,43 @@ class Url
      */
     protected $urlEncoder;
 
+    /**
+     * @var \Magento\Framework\Url\DecoderInterface
+     */
+    private $urlDecoder;
+
+    /**
+     * @var \Magento\Framework\Url\HostChecker
+     */
+    private $hostChecker;
+
     /**
      * @param Session $customerSession
      * @param ScopeConfigInterface $scopeConfig
      * @param RequestInterface $request
      * @param UrlInterface $urlBuilder
      * @param EncoderInterface $urlEncoder
+     * @param \Magento\Framework\Url\DecoderInterface|null $urlDecoder
+     * @param \Magento\Framework\Url\HostChecker|null $hostChecker
      */
     public function __construct(
         Session $customerSession,
         ScopeConfigInterface $scopeConfig,
         RequestInterface $request,
         UrlInterface $urlBuilder,
-        EncoderInterface $urlEncoder
+        EncoderInterface $urlEncoder,
+        \Magento\Framework\Url\DecoderInterface $urlDecoder = null,
+        \Magento\Framework\Url\HostChecker $hostChecker = null
     ) {
         $this->request = $request;
         $this->urlBuilder = $urlBuilder;
         $this->scopeConfig = $scopeConfig;
         $this->customerSession = $customerSession;
         $this->urlEncoder = $urlEncoder;
+        $this->urlDecoder = $urlDecoder ?: \Magento\Framework\App\ObjectManager::getInstance()
+            ->get(\Magento\Framework\Url\DecoderInterface::class);
+        $this->hostChecker = $hostChecker ?: \Magento\Framework\App\ObjectManager::getInstance()
+            ->get(\Magento\Framework\Url\HostChecker::class);
     }
 
     /**
@@ -95,7 +113,7 @@ public function getLoginUrl()
     public function getLoginUrlParams()
     {
         $params = [];
-        $referer = $this->request->getParam(self::REFERER_QUERY_PARAM_NAME);
+        $referer = $this->getRequestReferrer();
         if (!$referer
             && !$this->scopeConfig->isSetFlag(
                 self::XML_PATH_CUSTOMER_STARTUP_REDIRECT_TO_DASHBOARD,
@@ -122,9 +140,10 @@ public function getLoginUrlParams()
     public function getLoginPostUrl()
     {
         $params = [];
-        if ($this->request->getParam(self::REFERER_QUERY_PARAM_NAME)) {
+        $referer = $this->getRequestReferrer();
+        if ($referer) {
             $params = [
-                self::REFERER_QUERY_PARAM_NAME => $this->request->getParam(self::REFERER_QUERY_PARAM_NAME),
+                self::REFERER_QUERY_PARAM_NAME => $referer,
             ];
         }
         return $this->urlBuilder->getUrl('customer/account/loginPost', $params);
@@ -220,4 +239,16 @@ public function getEmailConfirmationUrl($email = null)
     {
         return $this->urlBuilder->getUrl('customer/account/confirmation', ['email' => $email]);
     }
+
+    /**
+     * @return mixed|null
+     */
+    private function getRequestReferrer()
+    {
+        $referer = $this->request->getParam(self::REFERER_QUERY_PARAM_NAME);
+        if ($referer && $this->hostChecker->isOwnOrigin($this->urlDecoder->decode($referer))) {
+            return $referer;
+        }
+        return null;
+    }
 }

app/code/Magento/Customer/Test/Unit/Model/Account/RedirectTest.php

@@ -13,6 +13,7 @@
 use Magento\Customer\Model\Account\Redirect;
 use Magento\Customer\Model\Url as CustomerUrl;
 use Magento\Framework\Controller\ResultFactory;
+use Magento\Framework\Url\HostChecker;
 use Magento\Store\Model\ScopeInterface;
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
 
@@ -81,6 +82,11 @@ class RedirectTest extends \PHPUnit_Framework_TestCase
      */
     protected $resultFactory;
 
+    /**
+     * @var HostChecker | \PHPUnit_Framework_MockObject_MockObject
+     */
+    private $hostChecker;
+
     protected function setUp()
     {
         $this->request = $this->getMockForAbstractClass(\Magento\Framework\App\RequestInterface::class);
@@ -134,6 +140,10 @@ protected function setUp()
             ->disableOriginalConstructor()
             ->getMock();
 
+        $this->hostChecker = $this->getMockBuilder(HostChecker::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
         $objectManager = new ObjectManager($this);
         $this->model = $objectManager->getObject(
             \Magento\Customer\Model\Account\Redirect::class,
@@ -145,7 +155,8 @@ protected function setUp()
                 'url'                   => $this->url,
                 'urlDecoder'            => $this->urlDecoder,
                 'customerUrl'           => $this->customerUrl,
-                'resultFactory'         => $this->resultFactory
+                'resultFactory'         => $this->resultFactory,
+                'hostChecker' => $this->hostChecker
             ]
         );
     }
@@ -254,6 +265,7 @@ public function testGetRedirect(
 
         $this->resultRedirect->expects($this->once())
             ->method('setUrl')
+            ->with($beforeAuthUrl)
             ->willReturnSelf();
 
         $this->resultFactory->expects($this->once())
@@ -286,6 +298,7 @@ public function getRedirectDataProvider()
         return [
             // Loggend In, Redirect by Referer
             [1, 2, 'referer', 'base', '', '', 'account', '', '', '', true, false],
+            [1, 2, 'http://referer.com/', 'http://base.com/', '', '', 'account', '', '', 'dashboard', true, false],
             // Loggend In, Redirect by AfterAuthUrl
             [1, 2, 'referer', 'base', '', 'defined', 'account', '', '', '', true, true],
             // Not logged In, Redirect by LoginUrl

lib/internal/Magento/Framework/Test/Unit/UrlTest.php

@@ -7,6 +7,7 @@
 // @codingStandardsIgnoreFile
 
 namespace Magento\Framework\Test\Unit;
+use Magento\Framework\Url\HostChecker;
 
 /**
  * Test class for Magento\Framework\Url
@@ -59,6 +60,11 @@ class UrlTest extends \PHPUnit_Framework_TestCase
      */
     protected $urlModifier;
 
+    /**
+     * @var HostChecker|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $hostChecker;
+
     protected function setUp()
     {
         $this->routeParamsResolverMock = $this->getMock(
@@ -549,18 +555,17 @@ public function testAddSessionParam()
 
     /**
      * @param bool $result
-     * @param string $baseUrl
      * @param string $referrer
      * @dataProvider isOwnOriginUrlDataProvider
      */
-    public function testIsOwnOriginUrl($result, $baseUrl, $referrer)
+    public function testIsOwnOriginUrl($result, $referrer)
     {
         $requestMock = $this->getRequestMock();
-        $model = $this->getUrlModel(['scopeResolver' => $this->scopeResolverMock, 'request' => $requestMock]);
+        $this->hostChecker = $this->getMockBuilder(HostChecker::class)
+            ->disableOriginalConstructor()->getMock();
+        $this->hostChecker->expects($this->once())->method('isOwnOrigin')->with($referrer)->willReturn($result);
+        $model = $this->getUrlModel(['hostChecker' => $this->hostChecker, 'request' => $requestMock]);
 
-        $this->scopeMock->expects($this->any())->method('getBaseUrl')->will($this->returnValue($baseUrl));
-        $this->scopeResolverMock->expects($this->any())->method('getScopes')
-            ->will($this->returnValue([$this->scopeMock]));
         $requestMock->expects($this->once())->method('getServer')->with('HTTP_REFERER')
             ->will($this->returnValue($referrer));
 
@@ -570,8 +575,8 @@ public function testIsOwnOriginUrl($result, $baseUrl, $referrer)
     public function isOwnOriginUrlDataProvider()
     {
         return [
-            'is origin url' => [true, 'http://localhost/', 'http://localhost/'],
-            'is not origin url' => [false, 'http://localhost/', 'http://example.com/'],
+            'is origin url' => [true, 'http://localhost/'],
+            'is not origin url' => [false, 'http://example.com/'],
         ];
     }
 

lib/internal/Magento/Framework/Url.php

@@ -8,6 +8,8 @@
 
 namespace Magento\Framework;
 
+use Magento\Framework\Url\HostChecker;
+
 /**
  * URL
  *
@@ -178,6 +180,11 @@ class Url extends \Magento\Framework\DataObject implements \Magento\Framework\Ur
      */
     private $escaper;
 
+    /**
+     * @var HostChecker
+     */
+    private $hostChecker;
+
     /**
      * @param \Magento\Framework\App\Route\ConfigInterface $routeConfig
      * @param \Magento\Framework\App\RequestInterface $request
@@ -191,6 +198,7 @@ class Url extends \Magento\Framework\DataObject implements \Magento\Framework\Ur
      * @param \Magento\Framework\Url\RouteParamsPreprocessorInterface $routeParamsPreprocessor
      * @param string $scopeType
      * @param array $data
+     * @param HostChecker|null $hostChecker
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -205,7 +213,8 @@ public function __construct(
         \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig,
         \Magento\Framework\Url\RouteParamsPreprocessorInterface $routeParamsPreprocessor,
         $scopeType,
-        array $data = []
+        array $data = [],
+        HostChecker $hostChecker = null
     ) {
         $this->_request = $request;
         $this->_routeConfig = $routeConfig;
@@ -218,6 +227,8 @@ public function __construct(
         $this->_scopeConfig = $scopeConfig;
         $this->routeParamsPreprocessor = $routeParamsPreprocessor;
         $this->_scopeType = $scopeType;
+        $this->hostChecker = $hostChecker ?: \Magento\Framework\App\ObjectManager::getInstance()
+            ->get(HostChecker::class);
         parent::__construct($data);
     }
 
@@ -1086,17 +1097,7 @@ public function useSessionIdForUrl($secure = false)
      */
     public function isOwnOriginUrl()
     {
-        $scopeDomains = [];
-        $referer = parse_url($this->_request->getServer('HTTP_REFERER'), PHP_URL_HOST);
-        foreach ($this->_scopeResolver->getScopes() as $scope) {
-            $scopeDomains[] = parse_url($scope->getBaseUrl(), PHP_URL_HOST);
-            $scopeDomains[] = parse_url($scope->getBaseUrl(UrlInterface::URL_TYPE_LINK, true), PHP_URL_HOST);
-        }
-        $scopeDomains = array_unique($scopeDomains);
-        if (empty($referer) || in_array($referer, $scopeDomains)) {
-            return true;
-        }
-        return false;
+        return $this->hostChecker->isOwnOrigin($this->_request->getServer('HTTP_REFERER'));
     }
 
     /**
@@ -1163,7 +1164,7 @@ protected function getRouteParamsResolver()
     private function getUrlModifier()
     {
         if ($this->urlModifier === null) {
-            $this->urlModifier = \Magento\Framework\App\ObjectManager::getInstance()->get(
+            $this->urlModifier = \Magento\Framework\App\ObjectManager::getInstance()->get(
                 \Magento\Framework\Url\ModifierInterface::class
             );
         }

lib/internal/Magento/Framework/Url/HostChecker.php

@@ -0,0 +1,48 @@
+<?php
+/**
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Framework\Url;
+
+use Magento\Framework\UrlInterface;
+
+/**
+ * Class provides functionality for checks of a host name
+ */
+class HostChecker
+{
+    /**
+     * @var \Magento\Framework\Url\ScopeResolverInterface
+     */
+    private $scopeResolver;
+
+    /**
+     * @param ScopeResolverInterface $scopeResolver
+     */
+    public function __construct(ScopeResolverInterface $scopeResolver)
+    {
+        $this->scopeResolver = $scopeResolver;
+    }
+
+    /**
+     * Check if provided URL is one of the domain URLs assigned to scopes
+     *
+     * @param string $url
+     * @return bool
+     */
+    public function isOwnOrigin($url)
+    {
+        $scopeHostNames = [];
+        $hostName = parse_url($url, PHP_URL_HOST);
+        if (empty($hostName)) {
+            return true;
+        }
+        foreach ($this->scopeResolver->getScopes() as $scope) {
+            $scopeHostNames[] = parse_url($scope->getBaseUrl(), PHP_URL_HOST);
+            $scopeHostNames[] = parse_url($scope->getBaseUrl(UrlInterface::URL_TYPE_LINK, true), PHP_URL_HOST);
+        }
+        $scopeHostNames = array_unique($scopeHostNames);
+        return in_array($hostName, $scopeHostNames);
+    }
+}