bug #36286 [Validator] Allow URL-encoded special characters in basic auth part of URLs (cweiske)
This PR was submitted for the master branch but it was merged into the 3.4 branch instead.
Discussion
----------
[Validator] Allow URL-encoded special characters in basic auth part of URLs
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix #36285
| License | MIT
Special characters in HTTP Basic Auth passwords in an URL need to be url-encoded.
Example: `foo@bar` becomes `foo%40bar`, in an URL: `http://user:foo%40bar@example.org`
The UrlValidator did not allow percent signs in username and password, and this is changed now.
Commits
-------
8a56c506e3
Allow URL-encoded special characters in basic auth part of URLs
This commit is contained in:
commit
6254cdb0f4
@ -23,7 +23,7 @@ class UrlValidator extends ConstraintValidator
|
|||||||
{
|
{
|
||||||
const PATTERN = '~^
|
const PATTERN = '~^
|
||||||
(%s):// # protocol
|
(%s):// # protocol
|
||||||
(([\_\.\pL\pN-]+:)?([\_\.\pL\pN-]+)@)? # basic auth
|
(((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+:)?((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+)@)? # basic auth
|
||||||
(
|
(
|
||||||
([\pL\pN\pS\-\_\.])+(\.?([\pL\pN]|xn\-\-[\pL\pN-]+)+\.?) # a domain name
|
([\pL\pN\pS\-\_\.])+(\.?([\pL\pN]|xn\-\-[\pL\pN-]+)+\.?) # a domain name
|
||||||
| # or
|
| # or
|
||||||
|
@ -122,6 +122,8 @@ class UrlValidatorTest extends ConstraintValidatorTestCase
|
|||||||
['http://user.name:pass.word@symfony.com'],
|
['http://user.name:pass.word@symfony.com'],
|
||||||
['http://user-name@symfony.com'],
|
['http://user-name@symfony.com'],
|
||||||
['http://user_name@symfony.com'],
|
['http://user_name@symfony.com'],
|
||||||
|
['http://u%24er:password@symfony.com'],
|
||||||
|
['http://user:pa%24%24word@symfony.com'],
|
||||||
['http://symfony.com?'],
|
['http://symfony.com?'],
|
||||||
['http://symfony.com?query=1'],
|
['http://symfony.com?query=1'],
|
||||||
['http://symfony.com/?query=1'],
|
['http://symfony.com/?query=1'],
|
||||||
@ -168,6 +170,8 @@ class UrlValidatorTest extends ConstraintValidatorTestCase
|
|||||||
['http://:password@@symfony.com'],
|
['http://:password@@symfony.com'],
|
||||||
['http://username:passwordsymfony.com'],
|
['http://username:passwordsymfony.com'],
|
||||||
['http://usern@me:password@symfony.com'],
|
['http://usern@me:password@symfony.com'],
|
||||||
|
['http://nota%hex:password@symfony.com'],
|
||||||
|
['http://username:nota%hex@symfony.com'],
|
||||||
['http://example.com/exploit.html?<script>alert(1);</script>'],
|
['http://example.com/exploit.html?<script>alert(1);</script>'],
|
||||||
['http://example.com/exploit.html?hel lo'],
|
['http://example.com/exploit.html?hel lo'],
|
||||||
['http://example.com/exploit.html?not_a%hex'],
|
['http://example.com/exploit.html?not_a%hex'],
|
||||||
|
Reference in New Issue
Block a user