bug #60292 [HttpFoundation] Encode path in X-Accel-Redirect header (Athorcis)

fabpot · fabpot · commit ebb9e659593a · 2025-05-12T08:14:18.000+02:00
This PR was merged into the 6.4 branch. Discussion ---------- [HttpFoundation] Encode path in `X-Accel-Redirect` header | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | License | MIT The path in `X-Accel-Redirect` header needs to be encoded otherwise nginx fail when certain characters are present in it (like % or ?) * rack/rack#1306 Commits ------- bcf20bc [HttpFoundation] Fix: Encode path in X-Accel-Redirect header
diff --git a/src/Symfony/Component/HttpFoundation/BinaryFileResponse.php b/src/Symfony/Component/HttpFoundation/BinaryFileResponse.php
@@ -229,7 +229,7 @@ public function prepare(Request $request): static
                         $path = $location.substr($path, \strlen($pathPrefix));
                         // Only set X-Accel-Redirect header if a valid URI can be produced
                         // as nginx does not serve arbitrary file paths.
-                        $this->headers->set($type, $path);
+                        $this->headers->set($type, rawurlencode($path));
                         $this->maxlen = 0;
                         break;
                     }
diff --git a/src/Symfony/Component/HttpFoundation/Tests/BinaryFileResponseTest.php b/src/Symfony/Component/HttpFoundation/Tests/BinaryFileResponseTest.php
@@ -314,7 +314,15 @@ public function testXAccelMapping($realpath, $mapping, $virtual)
         $property->setValue($response, $file);
 
         $response->prepare($request);
-        $this->assertEquals($virtual, $response->headers->get('X-Accel-Redirect'));
+        $header = $response->headers->get('X-Accel-Redirect');
+
+        if ($virtual) {
+            // Making sure the path doesn't contain characters unsupported by nginx
+            $this->assertMatchesRegularExpression('/^([^?%]|%[0-9A-F]{2})*$/', $header);
+            $header = rawurldecode($header);
+        }
+
+        $this->assertEquals($virtual, $header);
     }
 
     public function testDeleteFileAfterSend()
@@ -361,6 +369,7 @@ public static function getSampleXAccelMappings()
             ['/home/Foo/bar.txt', '/var/www/=/files/,/home/Foo/=/baz/', '/baz/bar.txt'],
             ['/home/Foo/bar.txt', '"/var/www/"="/files/", "/home/Foo/"="/baz/"', '/baz/bar.txt'],
             ['/tmp/bar.txt', '"/var/www/"="/files/", "/home/Foo/"="/baz/"', null],
+            ['/var/www/var/www/files/foo%.txt', '/var/www/=/files/', '/files/var/www/files/foo%.txt'],
         ];
     }
 

Original file line number	Diff line number	Diff line change
`@@ -229,7 +229,7 @@ public function prepare(Request $request): static`
`229`	`229`	`$path = $location.substr($path, \strlen($pathPrefix));`
`230`	`230`	`// Only set X-Accel-Redirect header if a valid URI can be produced`
`231`	`231`	`// as nginx does not serve arbitrary file paths.`
`232`		`- $this->headers->set($type, $path);`
	`232`	`+ $this->headers->set($type, rawurlencode($path));`
`233`	`233`	`$this->maxlen = 0;`
`234`	`234`	`break;`
`235`	`235`	`}`