@@ -915,7 +915,7 @@ public function testGetUnauthenticatedRedirectUrlWithBasePath()
915915 );
916916 }
917917
918- public function testGetLoginRedirect ()
918+ public function testGetLoginRedirectInvalid ()
919919 {
920920 $ service = new AuthenticationService ([
921921 'unauthenticatedRedirect ' => '/users/login ' ,
@@ -956,6 +956,39 @@ public function testGetLoginRedirect()
956956 '/path/with?query=string ' ,
957957 $ service ->getLoginRedirect ($ request ),
958958 );
959+
960+ $ request = ServerRequestFactory::fromGlobals (
961+ ['REQUEST_URI ' => '/login ' ],
962+ ['redirect ' => '/ \\evil.com ' ],
963+ );
964+ $ this ->assertNull (
965+ $ service ->getLoginRedirect ($ request ),
966+ );
967+
968+ $ request = ServerRequestFactory::fromGlobals (
969+ ['REQUEST_URI ' => '/login ' ],
970+ ['redirect ' => '\\/ \\evil.com ' ],
971+ );
972+ $ this ->assertNull (
973+ $ service ->getLoginRedirect ($ request ),
974+ );
975+
976+ $ request = ServerRequestFactory::fromGlobals (
977+ ['REQUEST_URI ' => '/login ' ],
978+ ['redirect ' => '\\evil.com/path ' ],
979+ );
980+ $ this ->assertSame (
981+ '/evil.com/path ' ,
982+ $ service ->getLoginRedirect ($ request ),
983+ );
984+
985+ $ request = ServerRequestFactory::fromGlobals (
986+ ['REQUEST_URI ' => '/login ' ],
987+ ['redirect ' => '\\\\evil.com/path ' ],
988+ );
989+ $ this ->assertNull (
990+ $ service ->getLoginRedirect ($ request ),
991+ );
959992 }
960993
961994 /**
0 commit comments