Fix isSafeRedirectUrl host comparison for non-default ports

Copilot · lmajano · Copilot · commit 009d388986e0 · 2026-01-14T18:10:39.000Z
- Strip port from getRealHost() before comparing with URI.getHost()
- Add test cases for non-default port scenarios
- Fixes issue where valid same-host redirects were rejected during dev

Co-authored-by: lmajano &lt;137111+lmajano@users.noreply.github.com&gt;
diff --git a/interceptors/Security.cfc b/interceptors/Security.cfc
@@ -827,7 +827,9 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 			}
 
 			// Get the current request's host for comparison
-			var currentHost = variables.cbSecurity.getRealHost();
+			// Normalize host: urlToValidate.getHost() does not include port
+			// Strip port from .getRealHost() for compare
+			var currentHost = listFirst( variables.cbSecurity.getRealHost(), ":" );
 
 			// Compare hosts (case-insensitive)
 			return compareNoCase( urlToValidate.getHost(), currentHost ) == 0;
diff --git a/test-harness/tests/specs/unit/SecurityTest.cfc b/test-harness/tests/specs/unit/SecurityTest.cfc
@@ -342,6 +342,39 @@ component extends="coldbox.system.testing.BaseInterceptorTest" interceptor="cbse
 					expect( result ).toBeTrue();
 				} );
 
+				it( "allows URLs with non-default ports when host matches", () => {
+					// Simulate getRealHost returning host with port (e.g., during dev)
+					mockSecurityService.$( "getRealHost", "127.0.0.1:61910" );
+
+					var result = security.isSafeRedirectUrl(
+						targetUrl = "http://127.0.0.1:61910/account",
+						event     = mockEvent
+					);
+					expect( result ).toBeTrue();
+				} );
+
+				it( "allows URLs with different ports when host matches", () => {
+					// getRealHost returns host with port
+					mockSecurityService.$( "getRealHost", "mysite.com:8080" );
+
+					// URL has a different port, but same host
+					var result = security.isSafeRedirectUrl(
+						targetUrl = "https://mysite.com:9000/account",
+						event     = mockEvent
+					);
+					expect( result ).toBeTrue();
+				} );
+
+				it( "blocks URLs with different hosts even with same port", () => {
+					mockSecurityService.$( "getRealHost", "mysite.com:8080" );
+
+					var result = security.isSafeRedirectUrl(
+						targetUrl = "https://malicious.com:8080/phishing",
+						event     = mockEvent
+					);
+					expect( result ).toBeFalse();
+				} );
+
 				it( "handles invalid URLs gracefully", () => {
 					var result = security.isSafeRedirectUrl( targetUrl = "not a valid url://", event = mockEvent );
 					expect( result ).toBeFalse();

Original file line number	Diff line number	Diff line change
`@@ -827,7 +827,9 @@ component accessors="true" extends="coldbox.system.Interceptor" {`
`827`	`827`	`}`
`828`	`828`
`829`	`829`	`// Get the current request's host for comparison`
`830`		`- var currentHost = variables.cbSecurity.getRealHost();`
	`830`	`+ // Normalize host: urlToValidate.getHost() does not include port`
	`831`	`+ // Strip port from .getRealHost() for compare`
	`832`	`+ var currentHost = listFirst( variables.cbSecurity.getRealHost(), ":" );`
`831`	`833`
`832`	`834`	`// Compare hosts (case-insensitive)`
`833`	`835`	`return compareNoCase( urlToValidate.getHost(), currentHost ) == 0;`