[Validator] fix URL validator to detect non supported chars according to RFC 3986

2017-03-16 13:01:13 +02:00 · 2017-03-16 13:01:13 +02:00 · 3599c476bf
commit 3599c476bf
parent 2240ecfa14
2 changed files with 7 additions and 1 deletions
--- a/src/Symfony/Component/Validator/Constraints/UrlValidator.php
+++ b/src/Symfony/Component/Validator/Constraints/UrlValidator.php
@ -34,7 +34,9 @@ class UrlValidator extends ConstraintValidator
                \]  # an IPv6 address
            )
            (:[0-9]+)?                              # a port (optional)
-            (/?|/\S+|\?\S*|\#\S*)                   # a /, nothing, a / with something, a query or a fragment
+            (?:/ (?:[\pL\pN\-._\~!$&\'()*+,;=:@]|%%[0-9A-Fa-f]{2})* )*      # a path
+            (?:\? (?:[\pL\pN\-._\~!$&\'()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )?   # a query (optional)
+            (?:\# (?:[\pL\pN\-._\~!$&\'()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )?   # a fragment (optional)
        $~ixu';

    /**
--- a/src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php
+++ b/src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php
@ -128,6 +128,7 @@ class UrlValidatorTest extends AbstractConstraintValidatorTest
            array('http://symfony.com#'),
            array('http://symfony.com#fragment'),
            array('http://symfony.com/#fragment'),
+            array('http://symfony.com/#one_more%20test'),
        );
    }

@ -167,6 +168,9 @@ class UrlValidatorTest extends AbstractConstraintValidatorTest
            array('http://:password@@symfony.com'),
            array('http://username:passwordsymfony.com'),
            array('http://usern@me:password@symfony.com'),
+            array('http://example.com/exploit.html?<script>alert(1);</script>'),
+            array('http://example.com/exploit.html?hel lo'),
+            array('http://example.com/exploit.html?not_a%hex'),
        );
    }