bug #36286 [Validator] Allow URL-encoded special characters in basic auth part of URLs (cweiske)

This PR was submitted for the master branch but it was merged into the 3.4 branch instead. Discussion ---------- [Validator] Allow URL-encoded special characters in basic auth part of URLs | Q | A | ------------- | --- | Branch? | 5.0 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #36285 | License | MIT Special characters in HTTP Basic Auth passwords in an URL need to be url-encoded. Example: `foo@bar` becomes `foo%40bar`, in an URL: `http://user:foo%40bar@example.org` The UrlValidator did not allow percent signs in username and password, and this is changed now. Commits ------- 8a56c506e3 Allow URL-encoded special characters in basic auth part of URLs
2020-04-04 09:24:28 +02:00 · 2020-04-04 09:24:28 +02:00 · 6254cdb0f4
commit 6254cdb0f4
parent 6dbf9eb663 8a56c506e3
2 changed files with 5 additions and 1 deletions
--- a/src/Symfony/Component/Validator/Constraints/UrlValidator.php
+++ b/src/Symfony/Component/Validator/Constraints/UrlValidator.php
@ -23,7 +23,7 @@ class UrlValidator extends ConstraintValidator
 {
    const PATTERN = '~^
            (%s)://                                 # protocol
-            (([\_\.\pL\pN-]+:)?([\_\.\pL\pN-]+)@)?  # basic auth
+            (((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+:)?((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+)@)?  # basic auth
            (
                ([\pL\pN\pS\-\_\.])+(\.?([\pL\pN]|xn\-\-[\pL\pN-]+)+\.?) # a domain name
                    |                                                 # or
--- a/src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php
+++ b/src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php
@ -122,6 +122,8 @@ class UrlValidatorTest extends ConstraintValidatorTestCase
            ['http://user.name:pass.word@symfony.com'],
            ['http://user-name@symfony.com'],
            ['http://user_name@symfony.com'],
+            ['http://u%24er:password@symfony.com'],
+            ['http://user:pa%24%24word@symfony.com'],
            ['http://symfony.com?'],
            ['http://symfony.com?query=1'],
            ['http://symfony.com/?query=1'],
@ -168,6 +170,8 @@ class UrlValidatorTest extends ConstraintValidatorTestCase
            ['http://:password@@symfony.com'],
            ['http://username:passwordsymfony.com'],
            ['http://usern@me:password@symfony.com'],
+            ['http://nota%hex:password@symfony.com'],
+            ['http://username:nota%hex@symfony.com'],
            ['http://example.com/exploit.html?<script>alert(1);</script>'],
            ['http://example.com/exploit.html?hel lo'],
            ['http://example.com/exploit.html?not_a%hex'],