Skip to content

[Security] Ignore target route when exiting impersonation #61486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 22, 2025
Merged

[Security] Ignore target route when exiting impersonation #61486

merged 1 commit into from
Aug 22, 2025
+16 −1

Conversation

MatTheCat
Copy link
Contributor

@MatTheCat MatTheCat commented Aug 21, 2025
edited
Loading

Q A
Branch? 6.4
Bug fix? yes
New feature? no
Deprecations? no
Issues Fix #53873
License MIT

The user impersonation documentation just mentions

control the redirection target route via target_route

Now, given that Twig’s impersonation_exit_path and impersonation_exit_url have an exitTo parameter but not impersonation_path nor impersonation_url, it looks like target_route should only be used when starting an impersonation. However it is currently also used when exiting, which means that if you configured one, an exitTo argument wouldn’t have any effect.

Based on this assumption, this PR ignores target_route when exiting impersonation.

Since exitTo will now work with target_route this PR technically breaks BC, but since this behavior was broken I’m not sure it needs to be considered.

@MatTheCat MatTheCat requested a review from chalasr as a code owner August 21, 2025 13:27
@carsonbot carsonbot added this to the 6.4 milestone Aug 21, 2025
@fabpot
Copy link
Member

fabpot commented Aug 22, 2025

Thank you @MatTheCat.

@fabpot fabpot merged commit a410ac7 into symfony:6.4 Aug 22, 2025
11 checks passed
@fabpot fabpot mentioned this pull request Aug 22, 2025
Closed
@MatTheCat MatTheCat deleted the ticket_53873 branch August 22, 2025 07:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@OskarStark OskarStark OskarStark approved these changes

@alexandre-daubois alexandre-daubois alexandre-daubois approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
6.4
Development

Successfully merging this pull request may close these issues.
6 participants
@MatTheCat @fabpot @nicolas-grekas @OskarStark @alexandre-daubois @carsonbot