isSafeRedirectUrl host comparison fails on non-default ports

### Bug: isSafeRedirectUrl host comparison fails on non-default ports

**Problem**
`java.net.URI.getHost()` returns host **without port**, while
`cbSecurity.getRealHost()` returns `host:port`.

This causes valid same-host redirects to be rejected when running on
non-default ports (e.g. during dev), collapsing
`_securedURL` to `/`.

**Example**
URI.getHost() = 127.0.0.1
URI.getPort() = 61910
getRealHost() = 127.0.0.1:61910


Direct comparison fails even though the host is the same.

**Fix**
Normalize `getRealHost()` to host-only before comparison.

**Patch**  -   /Interceptors/Security.cfc (line 828)

// Get the current request's host for comparison
// Normalize host: urlToValidate.getHost() does not include port
// Strip port from .getRealHost() for compare
var currentHost = listFirst( variables.cbSecurity.getRealHost(), ":" );

// Compare hosts (case-insensitive)
return compareNoCase( urlToValidate.getHost(), currentHost ) == 0;

**/Patch**

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

isSafeRedirectUrl host comparison fails on non-default ports #62

Bug: isSafeRedirectUrl host comparison fails on non-default ports

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

isSafeRedirectUrl host comparison fails on non-default ports #62

Description

Bug: isSafeRedirectUrl host comparison fails on non-default ports

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions