[5.x] Harden redirects (#14099)

jasonvarga · web-flow · commit 8639ef96217e · 2026-02-27T10:57:39.000-05:00
diff --git a/src/Exceptions/Concerns/RendersControlPanelExceptions.php b/src/Exceptions/Concerns/RendersControlPanelExceptions.php
@@ -3,6 +3,7 @@
 namespace Statamic\Exceptions\Concerns;
 
 use Illuminate\Auth\Access\AuthorizationException as IlluminateAuthException;
+use Statamic\Facades\URL;
 
 trait RendersControlPanelExceptions
 {
@@ -21,7 +22,7 @@ protected function getAuthExceptionRedirectUrl()
 
         // If we came to this URL from another, we'll send them back, but not
         // if it was the login page otherwise there'd be a redirect loop.
-        if ($referrer && $referrer != cp_route('login')) {
+        if ($referrer && $referrer != cp_route('login') && ! URL::isExternalToApplication($referrer)) {
             return $referrer;
         }
 
diff --git a/src/Http/Controllers/FormController.php b/src/Http/Controllers/FormController.php
@@ -124,7 +124,9 @@ private function formFailure($params, $errors, $form)
 
         $redirect = Arr::get($params, '_error_redirect');
 
-        $response = $redirect ? redirect($redirect) : back();
+        $response = $redirect && ! \Statamic\Facades\URL::isExternalToApplication($redirect)
+            ? redirect($redirect)
+            : back();
 
         return $response->withInput()->withErrors($errors, 'form.'.$form);
     }
@@ -152,7 +154,9 @@ private function formSuccess($params, $submission, $silentFailure = false)
             ]);
         }
 
-        $response = $redirect ? redirect($redirect) : back();
+        $response = $redirect && ! \Statamic\Facades\URL::isExternalToApplication($redirect)
+            ? redirect($redirect)
+            : back();
 
         if (! \Statamic\Facades\URL::isExternal($redirect)) {
             session()->flash("form.{$submission->form()->handle()}.success", __('Submission successful.'));
diff --git a/tests/CP/AuthRedirectTest.php b/tests/CP/AuthRedirectTest.php
@@ -68,6 +68,20 @@ public function it_redirects_somewhere_if_the_referrer_was_the_login_page()
             ->assertSessionHas(['error' => "Can't touch this."]);
     }
 
+    #[Test]
+    public function it_does_not_redirect_to_external_referrer()
+    {
+        $this->setTestRoles(['test' => ['access cp']]);
+        $user = tap(User::make()->assignRole('test'))->save();
+
+        $this
+            ->actingAs($user)
+            ->withHeaders(['referer' => 'https://external.com'])
+            ->get('/cp/hammertime')
+            ->assertRedirect(cp_route('index'))
+            ->assertSessionHas(['error' => "Can't touch this."]);
+    }
+
     #[Test]
     public function it_redirects_to_unauthorized_view_if_there_would_be_a_redirect_loop()
     {
diff --git a/tests/Tags/Form/FormCreateTest.php b/tests/Tags/Form/FormCreateTest.php
@@ -677,6 +677,24 @@ public function it_will_submit_form_and_follow_custom_redirect_with_success()
         $this->assertStringContainsString('<div class="analytics"></div>', $output);
     }
 
+    #[Test]
+    public function it_does_not_follow_external_redirect_on_success()
+    {
+        $this->assertEmpty(Form::find('contact')->submissions());
+
+        $this
+            ->from('/contact')
+            ->post('/!/forms/contact', [
+                'email' => 'san@holo.com',
+                'message' => 'hello',
+                '_redirect' => 'https://evil.com/phishing',
+            ])
+            ->assertSessionHasNoErrors()
+            ->assertLocation('/contact');
+
+        $this->assertCount(1, Form::find('contact')->submissions());
+    }
+
     #[Test]
     public function it_will_submit_form_with_honeypot_filled_and_render_fake_success()
     {
@@ -753,6 +771,29 @@ public function it_wont_submit_form_and_follow_custom_redirect_with_errors()
         $this->assertEmpty($success[1]);
     }
 
+    #[Test]
+    public function it_does_not_follow_external_error_redirect()
+    {
+        $this->assertEmpty(Form::find('contact')->submissions());
+
+        Event::listen(function (\Statamic\Events\FormSubmitted $event) {
+            throw ValidationException::withMessages(['custom' => 'This is a custom message']);
+        });
+
+        $this
+            ->from('/contact')
+            ->post('/!/forms/contact', [
+                '_error_redirect' => 'https://evil.com/phishing',
+                'name' => 'Hansolo',
+                'email' => 'san@holo.com',
+                'message' => 'hello',
+            ])
+            ->assertSessionHasErrors(['custom'], null, 'form.contact')
+            ->assertLocation('/contact');
+
+        $this->assertCount(0, Form::find('contact')->submissions());
+    }
+
     #[Test]
     public function it_will_use_redirect_query_param_off_url()
     {

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`	`namespace Statamic\Exceptions\Concerns;`
`4`	`4`
`5`	`5`	`use Illuminate\Auth\Access\AuthorizationException as IlluminateAuthException;`
	`6`	`+use Statamic\Facades\URL;`
`6`	`7`
`7`	`8`	`trait RendersControlPanelExceptions`
`8`	`9`	`{`
`@@ -21,7 +22,7 @@ protected function getAuthExceptionRedirectUrl()`
`21`	`22`
`22`	`23`	`// If we came to this URL from another, we'll send them back, but not`
`23`	`24`	`// if it was the login page otherwise there'd be a redirect loop.`
`24`		`- if ($referrer && $referrer != cp_route('login')) {`
	`25`	`+ if ($referrer && $referrer != cp_route('login') && ! URL::isExternalToApplication($referrer)) {`
`25`	`26`	`return $referrer;`
`26`	`27`	`}`
`27`	`28`