AbstractLoginFormAuthenticator::supports() always returns false if application lives under a directory #44893
Comments
|
This was originally #44318. I've re-reopened it because, to me, it does indeed look like an issue. It's fairly simple: if you deploy your site to a sub-directory (e.g. return $request->isMethod('POST') && $this->getLoginUrl($request) === $request->getPathInfo();
Let me know if I'm mistaken about this being an issue :). |
|
A closely related issue: The same incorrect behavior happens if the site is not using clean URLs, vis, The root problem seems to be the use of There doesn't see to be any obvious way to get that, other than simply hard coding the login path, rather than login route name. But that is the fix that would be needed. |
|
I can confirm this issue. When Symfony is running in a sub-directory (in my case an apache alias) the As workaround, I've overwritten the supports method like this: That works. |
|
It would need some testing, but the solution might be a more generic version of what @a-r-m-i-n suggests: public function supports(Request $request): bool
{
return parent::supports($request) || ($request->isMethod('POST') && $this->getLoginUrl($request) === $request->getBaseUrl() . $request->getPathInfo());
}Basically, leverage |
|
@weaverryan Is there anything new on this issue? If not, I'd try to prepare a PR. We just stumbled upon the same issue and it cost us quite some time until we realised that this one line causes issues. |
|
@sgehrig it would be great if you can submit a PR to 5.4 if you've verified that the code works :) |
… rewriting or from a sub folder
… url rewriting or from a sub folder (sgehrig) This PR was squashed before being merged into the 5.4 branch. Discussion ---------- [Security] Fix login url matching when app is not run with url rewriting or from a sub folder | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #44893 | License | MIT | Doc PR | not required Uses the fix suggested by `@weaverryan` in #44893 (comment). I also added three tests for scenarios which I could replicate from running a simple app on a real webserver (Apache and Nginx). This, however, might not be sufficient because there could be other combinations of server variables like `DOCUMENT_ROOT`, `PHP_SELF`, `SCRIPT_FILENAME`, `SCRIPT_NAME` and possibly others depending on the server configuration and setup. As long as `\Symfony\Component\HttpFoundation\Request::getBaseUrl()` and `\Symfony\Component\HttpFoundation\Request::getPathInfo()` work correctly, I assume that the fix will also be correct in all those constellations. The fix is based on the assumptions that: - `\Symfony\Component\HttpFoundation\Request::getBaseUrl()` always returns an empty string when the application is run from root without the front controller script in the URL (using URL rewriting for example) - `\Symfony\Component\HttpFoundation\Request::getBaseUrl()` always returns the path from the server root to the application base path (possibly including the front controller script) - `\Symfony\Component\HttpFoundation\Request::getPathInfo()` always returns just the *routed* part of the request Please advise if you'd need some more tests. Commits ------- ff340e2 [Security] Fix login url matching when app is not run with url rewriting or from a sub folder
… url rewriting or from a sub folder (sgehrig) This PR was squashed before being merged into the 5.4 branch. Discussion ---------- [Security] Fix login url matching when app is not run with url rewriting or from a sub folder | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #44893 | License | MIT | Doc PR | not required Uses the fix suggested by `@weaverryan` in symfony/symfony#44893 (comment). I also added three tests for scenarios which I could replicate from running a simple app on a real webserver (Apache and Nginx). This, however, might not be sufficient because there could be other combinations of server variables like `DOCUMENT_ROOT`, `PHP_SELF`, `SCRIPT_FILENAME`, `SCRIPT_NAME` and possibly others depending on the server configuration and setup. As long as `\Symfony\Component\HttpFoundation\Request::getBaseUrl()` and `\Symfony\Component\HttpFoundation\Request::getPathInfo()` work correctly, I assume that the fix will also be correct in all those constellations. The fix is based on the assumptions that: - `\Symfony\Component\HttpFoundation\Request::getBaseUrl()` always returns an empty string when the application is run from root without the front controller script in the URL (using URL rewriting for example) - `\Symfony\Component\HttpFoundation\Request::getBaseUrl()` always returns the path from the server root to the application base path (possibly including the front controller script) - `\Symfony\Component\HttpFoundation\Request::getPathInfo()` always returns just the *routed* part of the request Please advise if you'd need some more tests. Commits ------- ff340e2128 [Security] Fix login url matching when app is not run with url rewriting or from a sub folder
Discussed in #44329
Originally posted by php4fan November 28, 2021
Symfony version(s) affected
5.4.0
Description
Say you have an application deployed to
https://somedomain.com/my/path, as opposed to justhttps://somedomain.com/.I think you usually call that an application that "lives under a subdirectory" (or directory, or folder).
I expect EVERYTHING in the framework to work out of the box with ZERO configuration in that scenario. Generally, Symfony does know how to handle that.
Out-of-the-box login authentication however seems to be one of those things that do not work as expected in the under-a-directory scenario.
I think that's due to the
AbstractLoginFormAuthenticator::supports()method whose current implementation is:In this scenario,
$this->getLoginUrl($request)returns/my/path/login, while$request->getPathInfo()returns just/loginwhen the url being requested is/my/path/info.How to reproduce
Deploy a Symfony application under a directory.
Make a
LoginFormAuthenticatorwithmake:authTry to log in.
Possible Solution
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: