8000 bug #22022 [Validator] fix URL validator to detect non supported char… · MacDada/symfony@3aa7658 · GitHub
[go: up one dir, main page]
Skip to content

Commit 3aa7658

Browse files
fabpotfabpot
committed
bug symfony#22022 [Validator] fix URL validator to detect non supported chars according to RFC 3986 (e-moe)
This PR was submitted for the 3.2 branch but it was merged into the 2.7 branch instead (closes symfony#22022). Discussion ---------- [Validator] fix URL validator to detect non supported chars according to RFC 3986 | Q | A | ------------- | --- | Branch? | 3.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | symfony#21961 | License | MIT | Doc PR | none Commits ------- 3599c47 [Validator] fix URL validator to detect non supported chars according to RFC 3986
2 parents 2240ecf + 3599c47 commit 3aa7658

File tree

2 files changed

+7
-1
lines changed

2 files changed

+7
-1
lines changed

src/Symfony/Component/Validator/Constraints/UrlValidator.php

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,9 @@ class UrlValidator extends ConstraintValidator
3434
\] # an IPv6 address
3535
)
3636
(:[0-9]+)? # a port (optional)
37-
(/?|/\S+|\?\S*|\#\S*) # a /, nothing, a / with something, a query or a fragment
37+
(?:/ (?:[\pL\pN\-._\~!$&\'()*+,;=:@]|%%[0-9A-Fa-f]{2})* )* # a path
38+
(?:\? (?:[\pL\pN\-._\~!$&\'()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )? # a query (optional)
39+
(?:\# (?:[\pL\pN\-._\~!$&\'()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )? # a fragment (optional)
3840
$~ixu';
3941

4042
/**

src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -128,6 +128,7 @@ public function getValidUrls()
128128
array('http://symfony.com#'),
129129
array('http://symfony.com#fragment'),
130130
array('http://symfony.com/#fragment'),
131+
array('http://symfony.com/#one_more%20test'),
131132
);
132133
}
133134

@@ -167,6 +168,9 @@ public function getInvalidUrls()
167168
array('http://:password@@symfony.com'),
168169
array('http://username:passwordsymfony.com'),
169170
array('http://usern@me:password@symfony.com'),
171+
array('http://example.com/exploit.html?<script>alert(1);</script>'),
172+
array('http://example.com/exploit.html?hel lo'),
173+
array('http://example.com/exploit.html?not_a%hex'),
170174
);
171175
}
172176

0 commit comments

Comments
 (0)
0