bug #36286 [Validator] Allow URL-encoded special characters in basic auth part of URLs (cweiske)

fabpot · fabpot · commit 6254cdb0f488 · 2020-04-04T09:24:28.000+02:00
This PR was submitted for the master branch but it was merged into the 3.4 branch instead. Discussion ---------- [Validator] Allow URL-encoded special characters in basic auth part of URLs | Q | A | ------------- | --- | Branch? | 5.0 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #36285 | License | MIT Special characters in HTTP Basic Auth passwords in an URL need to be url-encoded. Example: `foo@bar` becomes `foo%40bar`, in an URL: `http://user:foo%40bar@example.org` The UrlValidator did not allow percent signs in username and password, and this is changed now. Commits ------- 8a56c50 Allow URL-encoded special characters in basic auth part of URLs
diff --git a/src/Symfony/Component/Validator/Constraints/UrlValidator.php b/src/Symfony/Component/Validator/Constraints/UrlValidator.php
@@ -23,7 +23,7 @@ class UrlValidator extends ConstraintValidator
 {
     const PATTERN = '~^
             (%s)://                                 # protocol
-            (([\_\.\pL\pN-]+:)?([\_\.\pL\pN-]+)@)?  # basic auth
+            (((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+:)?((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+)@)?  # basic auth
             (
                 ([\pL\pN\pS\-\_\.])+(\.?([\pL\pN]|xn\-\-[\pL\pN-]+)+\.?) # a domain name
                     |                                                 # or
diff --git a/src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php b/src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php
@@ -122,6 +122,8 @@ public function getValidUrls()
             ['http://user.name:pass.word@symfony.com'],
             ['http://user-name@symfony.com'],
             ['http://user_name@symfony.com'],
+            ['http://u%24er:password@symfony.com'],
+            ['http://user:pa%24%24word@symfony.com'],
             ['http://symfony.com?'],
             ['http://symfony.com?query=1'],
             ['http://symfony.com/?query=1'],
@@ -168,6 +170,8 @@ public function getInvalidUrls()
             ['http://:password@@symfony.com'],
             ['http://username:passwordsymfony.com'],
             ['http://usern@me:password@symfony.com'],
+            ['http://nota%hex:password@symfony.com'],
+            ['http://username:nota%hex@symfony.com'],
             ['http://example.com/exploit.html?<script>alert(1);</script>'],
             ['http://example.com/exploit.html?hel lo'],
             ['http://example.com/exploit.html?not_a%hex'],

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ class UrlValidator extends ConstraintValidator`
`23`	`23`	`{`
`24`	`24`	`const PATTERN = '~^`
`25`	`25`	`(%s):// # protocol`
`26`		`- (([\_\.\pL\pN-]+:)?([\_\.\pL\pN-]+)@)? # basic auth`
	`26`	`+ (((?:[\_\.\pL\pN-]\|%%[0-9A-Fa-f]{2})+:)?((?:[\_\.\pL\pN-]\|%%[0-9A-Fa-f]{2})+)@)? # basic auth`
`27`	`27`	`(`
`28`	`28`	`([\pL\pN\pS\-\_\.])+(\.?([\pL\pN]\|xn\-\-[\pL\pN-]+)+\.?) # a domain name`
`29`	`29`	`\| # or`