8000 [DependencyInjection][HttpClient][Routing] Reject vertical tab in URIs · symfony/symfony@e5c0383 · GitHub
[go: up one dir, main page]
Skip to content

Commit e5c0383

Browse files
alexandre-dauboisalexandre-daubois
committed
[DependencyInjection][HttpClient][Routing] Reject vertical tab in URIs
1 parent 7a16efe commit e5c0383

File tree

6 files changed

+6
-3
lines changed

6 files changed

+6
-3
lines changed

src/Symfony/Component/DependencyInjection/EnvVarProcessor.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -313,7 +313,7 @@ public function getEnv(string $prefix, string $name, \Closure $getEnv): mixed
313313
if (('\\' !== \DIRECTORY_SEPARATOR || 'file' !== $params['scheme']) && false !== ($i = strpos($env, '\\')) && $i < strcspn($env, '?#')) {
314314
throw new RuntimeException(\sprintf('Invalid URL in env var "%s": backslashes are not allowed.', $name));
315315
}
316-
if (\ord($env[0]) <= 32 || \ord($env[-1]) <= 32 || \strlen($env) !== strcspn($env, "\r\n\t")) {
316+
if (\ord($env[0]) <= 32 || \ord($env[-1]) <= 32 || \strlen($env) !== strcspn($env, "\r\n\t\v")) {
317317
throw new RuntimeException(\sprintf('Invalid URL in env var "%s": leading/trailing ASCII control characters or whitespaces are not allowed.', $name));
318318
}
319319
$params += [

src/Symfony/Component/DependencyInjection/Tests/EnvVarProcessorTest.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1002,6 +1002,7 @@ public static function provideGetEnvUrlPath()
10021002
* ["a\rb"]
10031003
* ["a\nb"]
10041004
* ["a\tb"]
1005+
* ["a\u000bb"]
10051006
* ["\u0000foo"]
10061007
* ["foo\u0000"]
10071008
* [" foo"]

src/Symfony/Component/HttpClient/HttpClientTrait.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -640,7 +640,7 @@ private static function parseUrl(string $url, array $query = [], array $allowedS
640640
if (false !== ($i = strpos($url, '\\')) && $i < strcspn($url, '?#')) {
641641
throw new InvalidArgumentException(\sprintf('Malformed URL "%s": backslashes are not allowed.', $url));
642642
}
643-
if (\strlen($url) !== strcspn($url, "\r\n\t")) {
643+
if (\strlen($url) !== strcspn($url, "\r\n\t\v")) {
644644
throw new InvalidArgumentException(\sprintf('Malformed URL "%s": CR/LF/TAB characters are not allowed.', $url));
645645
}
646646
if ('' !== $url && (\ord($url[0]) <= 32 || \ord($url[-1]) <= 32)) {

src/Symfony/Component/HttpClient/Tests/HttpClientTraitTest.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -253,6 +253,7 @@ public function testResolveBaseUrlWithoutScheme()
253253
* ["a\rb"]
254254
* ["a\nb"]
255255
* ["a\tb"]
256+
* ["a\u000bb"]
256257
* ["\u0000foo"]
257258
* ["foo\u0000"]
258259
* [" foo"]

src/Symfony/Component/Routing/RequestContext.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ public static function fromUri(string $uri, string $host = 'localhost', string $
5050
if (false !== ($i = strpos($uri, '\\')) && $i < strcspn($uri, '?#')) {
5151
$uri = '';
5252
}
53-
if ('' !== $uri && (\ord($uri[0]) <= 32 || \ord($uri[-1]) <= 32 || \strlen($uri) !== strcspn($uri, "\r\n\t"))) {
53+
if ('' !== $uri && (\ord($uri[0]) <= 32 || \ord($uri[-1]) <= 32 || \strlen($uri) !== strcspn($uri, "\r\n\t\v"))) {
5454
$uri = '';
5555
}
5656

src/Symfony/Component/Routing/Tests/RequestContextTest.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,7 @@ public function testFromUriBeingEmpty()
9191
* ["a\rb"]
9292
* ["a\nb"]
9393
* ["a\tb"]
94+
* ["a\u000bb"]
9495
* ["\u0000foo"]
9596
* ["foo\u0000"]
9697
* [" foo"]

0 commit comments

Comments
 (0)
 2A5F
0