From 7ef13e7ef60a935dc75a72a5b63bb49311d469d4 Mon Sep 17 00:00:00 2001
From: Serge Latyntsev <dnsl48@gmail.com>
Date: Fri, 5 Jul 2019 16:05:41 +1200
Subject: [PATCH] FIX Confirmation components to respect SS_BASE_URL (#9074)

---
 src/Control/Middleware/ConfirmationMiddleware.php      | 10 +++++++++-
 src/Control/Middleware/URLSpecialsMiddleware.php       |  9 ++++++++-
 src/Security/Confirmation/Storage.php                  |  5 ++++-
 .../Control/Middleware/ConfirmationMiddlewareTest.php  |  3 ++-
 tests/php/Security/Confirmation/StorageTest.php        |  2 +-
 5 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/src/Control/Middleware/ConfirmationMiddleware.php b/src/Control/Middleware/ConfirmationMiddleware.php
index f4f903d6a..79acbfe21 100644
--- a/src/Control/Middleware/ConfirmationMiddleware.php
+++ b/src/Control/Middleware/ConfirmationMiddleware.php
@@ -33,6 +33,7 @@ class ConfirmationMiddleware implements HTTPMiddleware
 
     /**
      * Confirmation form URL
+     * WARNING: excluding SS_BASE_URL
      *
      * @var string
      */
@@ -81,8 +82,15 @@ class ConfirmationMiddleware implements HTTPMiddleware
      */
     protected function getConfirmationUrl(HTTPRequest $request, $confirmationStorageId)
     {
+        $url = $this->confirmationFormUrl;
+
+        if (substr($url, 0, 1) === '/') {
+            // add BASE_URL explicitly if not absolute
+            $url = Controller::join_links(Director::baseURL(), $url);
+        }
+
         return Controller::join_links(
-            $this->confirmationFormUrl,
+            $url,
             urlencode($confirmationStorageId)
         );
     }
diff --git a/src/Control/Middleware/URLSpecialsMiddleware.php b/src/Control/Middleware/URLSpecialsMiddleware.php
index 073e52e76..b2fb10a6d 100644
--- a/src/Control/Middleware/URLSpecialsMiddleware.php
+++ b/src/Control/Middleware/URLSpecialsMiddleware.php
@@ -2,6 +2,8 @@
 
 namespace SilverStripe\Control\Middleware;
 
+use SilverStripe\Control\Controller;
+use SilverStripe\Control\Director;
 use SilverStripe\Control\Middleware\URLSpecialsMiddleware\FlushScheduler;
 use SilverStripe\Control\Middleware\URLSpecialsMiddleware\SessionEnvTypeSwitcher;
 use SilverStripe\Control\HTTPRequest;
@@ -63,7 +65,12 @@ class URLSpecialsMiddleware extends PermissionAwareConfirmationMiddleware
             $request['urlspecialstoken'] = bin2hex(random_bytes(4));
 
             $result = new HTTPResponse();
-            $result->redirect('/' . $request->getURL(true));
+            $result->redirect(
+                Controller::join_links(
+                    Director::baseURL(),
+                    $request->getURL(true)
+                )
+            );
             return $result;
         }
     }
diff --git a/src/Security/Confirmation/Storage.php b/src/Security/Confirmation/Storage.php
index e27931590..0794e3646 100644
--- a/src/Security/Confirmation/Storage.php
+++ b/src/Security/Confirmation/Storage.php
@@ -2,7 +2,9 @@
 
 namespace SilverStripe\Security\Confirmation;
 
+use SilverStripe\Control\Controller;
 use SilverStripe\Control\Cookie;
+use SilverStripe\Control\Director;
 use SilverStripe\Control\HTTPRequest;
 use SilverStripe\Control\Session;
 use SilverStripe\Security\SecurityToken;
@@ -236,7 +238,8 @@ class Storage
      */
     public function setSuccessRequest(HTTPRequest $request)
     {
-        $this->setSuccessUrl($request->getURL(true));
+        $url = Controller::join_links(Director::baseURL(), $request->getURL(true));
+        $this->setSuccessUrl($url);
 
         $httpMethod = $request->httpMethod();
         $this->session->set($this->getNamespace('httpMethod'), $httpMethod);
diff --git a/tests/php/Control/Middleware/ConfirmationMiddlewareTest.php b/tests/php/Control/Middleware/ConfirmationMiddlewareTest.php
index cec934bc6..9b2f43f51 100644
--- a/tests/php/Control/Middleware/ConfirmationMiddlewareTest.php
+++ b/tests/php/Control/Middleware/ConfirmationMiddlewareTest.php
@@ -2,6 +2,7 @@
 
 namespace SilverStripe\Control\Tests\Middleware;
 
+use SilverStripe\Control\Director;
 use SilverStripe\Control\HTTPResponse;
 use SilverStripe\Control\Middleware\ConfirmationMiddleware;
 use SilverStripe\Control\Middleware\ConfirmationMiddleware\Url;
@@ -67,7 +68,7 @@ class ConfirmationMiddlewareTest extends SapphireTest
         $this->assertFalse($next);
         $this->assertInstanceOf(HTTPResponse::class, $response);
         $this->assertEquals(302, $response->getStatusCode());
-        $this->assertEquals('/dev/confirm/middleware', $response->getHeader('location'));
+        $this->assertEquals(Director::baseURL().'dev/confirm/middleware', $response->getHeader('location'));
 
         // Test bypasses have more priority than rules
         $middleware->setBypasses([new Url('dev/build')]);
diff --git a/tests/php/Security/Confirmation/StorageTest.php b/tests/php/Security/Confirmation/StorageTest.php
index 4c36f71a9..a3075769d 100644
--- a/tests/php/Security/Confirmation/StorageTest.php
+++ b/tests/php/Security/Confirmation/StorageTest.php
@@ -69,7 +69,7 @@ class StorageTest extends SapphireTest
 
         // ensure the data is persisted within the session
         $storage = new Storage($session, 'test', false);
-        $this->assertEquals('dev/build?flush=all', $storage->getSuccessUrl());
+        $this->assertEquals('/dev/build?flush=all', $storage->getSuccessUrl());
         $this->assertEquals('GET', $storage->getHttpMethod());
     }