isSafeRedirectUrl host comparison fails on non-default ports

[irvirv]

Bug: isSafeRedirectUrl host comparison fails on non-default ports

Problem
java.net.URI.getHost() returns host without port, while
cbSecurity.getRealHost() returns host:port.

This causes valid same-host redirects to be rejected when running on
non-default ports (e.g. during dev), collapsing
_securedURL to /.

Example
URI.getHost() = 127.0.0.1
URI.getPort() = 61910
getRealHost() = 127.0.0.1:61910

Direct comparison fails even though the host is the same.

Fix
Normalize getRealHost() to host-only before comparison.

Patch - /Interceptors/Security.cfc (line 828)

// Get the current request's host for comparison
// Normalize host: urlToValidate.getHost() does not include port
// Strip port from .getRealHost() for compare
var currentHost = listFirst( variables.cbSecurity.getRealHost(), ":" );

// Compare hosts (case-insensitive)
return compareNoCase( urlToValidate.getHost(), currentHost ) == 0;

/Patch