From: Christian Flothmann <christian.flothmann@sensiolabs.de>
Date: Thu, 13 Sep 2018 19:04:50 +0200
Subject: [Security\Http] detect bad redirect targets using backslashes

[CVE-2018-19790] https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http

Origin: upstream, https://github.com/symfony/symfony/commit/99a0cec0a6be39ce5ef38386e57339603b33ee5b
---
 src/Symfony/Component/Security/Http/HttpUtils.php      |  2 +-
 .../Component/Security/Http/Tests/HttpUtilsTest.php    | 18 ++++++++++++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/Symfony/Component/Security/Http/HttpUtils.php b/src/Symfony/Component/Security/Http/HttpUtils.php
index adfac12..e83b192 100644
--- a/src/Symfony/Component/Security/Http/HttpUtils.php
+++ b/src/Symfony/Component/Security/Http/HttpUtils.php
@@ -61,7 +61,7 @@ class HttpUtils
      */
     public function createRedirectResponse(Request $request, $path, $status = 302)
     {
-        if (null !== $this->domainRegexp && preg_match('#^https?://[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) {
+        if (null !== $this->domainRegexp && preg_match('#^https?:[/\\\\]{2,}+[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) {
             $path = '/';
         }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php b/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php
index 93be3cf..eb5fa65 100644
--- a/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php
+++ b/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php
@@ -53,14 +53,28 @@ class HttpUtilsTest extends \PHPUnit_Framework_TestCase
         $this->assertTrue($response->isRedirect('http://localhost/blog'));
     }
 
-    public function testCreateRedirectResponseWithBadRequestsDomain()
+    /**
+     * @dataProvider badRequestDomainUrls
+     */
+    public function testCreateRedirectResponseWithBadRequestsDomain($url)
     {
         $utils = new HttpUtils($this->getUrlGenerator(), null, '#^https?://%s$#i');
-        $response = $utils->createRedirectResponse($this->getRequest(), 'http://pirate.net/foo');
+        $response = $utils->createRedirectResponse($this->getRequest(), $url);
 
         $this->assertTrue($response->isRedirect('http://localhost/'));
     }
 
+    public function badRequestDomainUrls()
+    {
+        return array(
+            array('http://pirate.net/foo'),
+            array('http:\\\\pirate.net/foo'),
+            array('http:/\\pirate.net/foo'),
+            array('http:\\/pirate.net/foo'),
+            array('http://////pirate.net/foo'),
+        );
+    }
+
     public function testCreateRedirectResponseWithProtocolRelativeTarget()
     {
         $utils = new HttpUtils($this->getUrlGenerator(), null, '#^https?://%s$#i');