@@ -847,7 +847,7 @@ public function testGetUnauthenticatedRedirectUrlWithBasePath()
847847 );
848848 }
849849
850- public function testGetLoginRedirect ()
850+ public function testGetLoginRedirectInvalid ()
851851 {
852852 $ service = new AuthenticationService ([
853853 'unauthenticatedRedirect ' => '/users/login ' ,
@@ -888,6 +888,39 @@ public function testGetLoginRedirect()
888888 '/path/with?query=string ' ,
889889 $ service ->getLoginRedirect ($ request )
890890 );
891+
892+ $ request = ServerRequestFactory::fromGlobals (
893+ ['REQUEST_URI ' => '/login ' ],
894+ ['redirect ' => '/ \\evil.com ' ]
895+ );
896+ $ this ->assertNull (
897+ $ service ->getLoginRedirect ($ request )
898+ );
899+
900+ $ request = ServerRequestFactory::fromGlobals (
901+ ['REQUEST_URI ' => '/login ' ],
902+ ['redirect ' => '\\/ \\evil.com ' ]
903+ );
904+ $ this ->assertNull (
905+ $ service ->getLoginRedirect ($ request )
906+ );
907+
908+ $ request = ServerRequestFactory::fromGlobals (
909+ ['REQUEST_URI ' => '/login ' ],
910+ ['redirect ' => '\\evil.com/path ' ]
911+ );
912+ $ this ->assertSame (
913+ '/evil.com/path ' ,
914+ $ service ->getLoginRedirect ($ request )
915+ );
916+
917+ $ request = ServerRequestFactory::fromGlobals (
918+ ['REQUEST_URI ' => '/login ' ],
919+ ['redirect ' => '\\\\evil.com/path ' ]
920+ );
921+ $ this ->assertNull (
922+ $ service ->getLoginRedirect ($ request )
923+ );
891924 }
892925
893926 /**
0 commit comments