bug #59525 [HtmlSanitizer] Fix access to undefined keys in UrlSanitizer (Antoine Beyet)

nicolas-grekas · nicolas-grekas · commit 8abf1aec0b37 · 2025-01-17T14:18:31.000+01:00
This PR was merged into the 6.4 branch. Discussion ---------- [HtmlSanitizer] Fix access to undefined keys in UrlSanitizer | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix #59524 | License | MIT This PR fixes the bug highlighted in #59524 and adds the unit test used to prove the error. Commits ------- c1d8c39 [HtmlSanitizer] Avoid accessing non existent array key when checking for hosts validity
diff --git a/src/Symfony/Component/HtmlSanitizer/Tests/TextSanitizer/UrlSanitizerTest.php b/src/Symfony/Component/HtmlSanitizer/Tests/TextSanitizer/UrlSanitizerTest.php
@@ -274,6 +274,15 @@ public static function provideSanitize(): iterable
             'expected' => null,
         ];
 
+        yield [
+            'input' => 'https://trusted.com/link.php',
+            'allowedSchemes' => ['http', 'https'],
+            'allowedHosts' => ['subdomain.trusted.com', 'trusted.com'],
+            'forceHttps' => false,
+            'allowRelative' => false,
+            'expected' => 'https://trusted.com/link.php',
+        ];
+
         // Allow relative
         yield [
             'input' => '/link.php',
diff --git a/src/Symfony/Component/HtmlSanitizer/TextSanitizer/UrlSanitizer.php b/src/Symfony/Component/HtmlSanitizer/TextSanitizer/UrlSanitizer.php
@@ -132,7 +132,7 @@ private static function matchAllowedHostParts(array $uriParts, array $trustedPar
     {
         // Check each chunk of the domain is valid
         foreach ($trustedParts as $key => $trustedPart) {
-            if ($uriParts[$key] !== $trustedPart) {
+            if (!array_key_exists($key, $uriParts) || $uriParts[$key] !== $trustedPart) {
                 return false;
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -132,7 +132,7 @@ private static function matchAllowedHostParts(array $uriParts, array $trustedPar`
`132`	`132`	`{`
`133`	`133`	`// Check each chunk of the domain is valid`
`134`	`134`	`foreach ($trustedParts as $key => $trustedPart) {`
`135`		`- if ($uriParts[$key] !== $trustedPart) {`
	`135`	`+ if (!array_key_exists($key, $uriParts) \|\| $uriParts[$key] !== $trustedPart) {`
`136`	`136`	`return false;`
`137`	`137`	`}`
`138`	`138`	`}`