[6.x] Harden URL::isExternalToApplication() (#14287)

duncanmcclean · jasonvarga · web-flow · commit 0bfd904f52da · 2026-03-18T12:21:12.000-04:00
Co-authored-by: Jason Varga &lt;jason@pixelfear.com&gt;
diff --git a/src/Facades/Endpoint/URL.php b/src/Facades/Endpoint/URL.php
@@ -274,7 +274,7 @@ public function isExternalToApplication(?string $url): bool
             ->filter(fn ($siteUrl) => $urlDomain === $siteUrl)
             ->isEmpty();
 
-        $isExternalToCurrentRequestDomain = ! Str::startsWith($url, self::getDomainFromAbsolute(url()->to('/')));
+        $isExternalToCurrentRequestDomain = $urlDomain !== self::getDomainFromAbsolute(url()->to('/'));
 
         return self::$externalAppUrlsCache[$url] = $isExternalToSites && $isExternalToCurrentRequestDomain;
     }
@@ -386,7 +386,7 @@ private function getAbsoluteSiteUrls(): Collection
      */
     private function getDomainFromAbsolute(string $url): string
     {
-        return preg_replace('/(https*:\/\/[^\/]+)(.*)/', '$1', $url);
+        return parse_url($url, PHP_URL_HOST) ?? $url;
     }
 
     /**
diff --git a/tests/Facades/Concerns/ProvidesExternalUrls.php b/tests/Facades/Concerns/ProvidesExternalUrls.php
@@ -67,6 +67,21 @@ public static function externalUrlProvider()
             ['http://subdomain.this-site.com.au/some-slug', true],
             ['http://subdomain.this-site.com.au/some-slug?foo', true],
             ['http://subdomain.this-site.com.au/some-slug#anchor', true],
+
+            // Credential injection
+            ['http://this-site.com@evil.com', true],
+            ['http://this-site.com@evil.com/', true],
+            ['http://this-site.com@evil.com/path', true],
+            ['http://this-site.com@evil.com/path?query', true],
+            ['http://this-site.com:password@evil.com', true],
+            ['http://user:pass@evil.com', true],
+            ['http://absolute-url-resolved-from-request.com@evil.com', true],
+            ['http://absolute-url-resolved-from-request.com@evil.com/path', true],
+            ['http://subdomain.this-site.com@evil.com', true],
+            ['http://subdomain.this-site.com@evil.com/path', true],
+            ['http://this-site.com:8000@evil.com', true],
+            ['http://this-site.com:8000@evil.com/path', true],
+            ['http://this-site.com:8000@webhook.site/token', true],
         ];
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -274,7 +274,7 @@ public function isExternalToApplication(?string $url): bool`
`274`	`274`	`->filter(fn ($siteUrl) => $urlDomain === $siteUrl)`
`275`	`275`	`->isEmpty();`
`276`	`276`
`277`		`- $isExternalToCurrentRequestDomain = ! Str::startsWith($url, self::getDomainFromAbsolute(url()->to('/')));`
	`277`	`+ $isExternalToCurrentRequestDomain = $urlDomain !== self::getDomainFromAbsolute(url()->to('/'));`
`278`	`278`
`279`	`279`	`return self::$externalAppUrlsCache[$url] = $isExternalToSites && $isExternalToCurrentRequestDomain;`
`280`	`280`	`}`
`@@ -386,7 +386,7 @@ private function getAbsoluteSiteUrls(): Collection`
`386`	`386`	`*/`
`387`	`387`	`private function getDomainFromAbsolute(string $url): string`
`388`	`388`	`{`
`389`		`- return preg_replace('/(https:\/\/[^\/]+)(.)/', '$1', $url);`
	`389`	`+ return parse_url($url, PHP_URL_HOST) ?? $url;`
`390`	`390`	`}`
`391`	`391`
`392`	`392`	`/**`