diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bug #23238 [Security] ensure the 'route' index is set before attempting to use it (gsdevme) 

This PR was submitted for the 2.8 branch but it was merged into the 2.7 branch instead (closes #23238).

Discussion
----------

[Security] ensure the 'route' index is set before attempting to use it

| Q             | A
| ------------- | ---
| Branch?       | 2.8
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets |
| License       | MIT
| Doc PR        |

```
                // matching a request is more powerful than matching a URL path + context, so try that first
                if ($this->urlMatcher instanceof RequestMatcherInterface) {
                    $parameters = $this->urlMatcher->matchRequest($request);
                } else {
                    $parameters = $this->urlMatcher->match($request->getPathInfo());
                }

                return $path === $parameters['_route'];
```
Hi the issue here is the code is assuming a `_route` has been returned from the `match()` method.. however there is nothing to suggest that is always the case. For example if I just want to return a controller that is perhaps not added as an actual route I can & it works.. Although this will generate a notice warning.

**In terms of what happens if the `_route` is not defined should it return `false?` or actually  perform a similar condition as `return $path === rawurldecode($request->getPathInfo());` **

I have an implementation of a router that is just returning a controller path and its arguments without a `_route` which works aside from this notice.

Commits
-------

7ae578cc1a fix(security): ensure the 'route' index is set before attempting to use it
This commit is contained in:
Fabien Potencier 2017-07-20 09:38:10 +02:00
parent f4172b0bff 7ae578cc1a
commit f4fffc082c
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Symfony/Component/Security/Http/HttpUtils.php
View File

@ -108,7 +108,7 @@ class HttpUtils
$parameters = $this->urlMatcher->match($request->getPathInfo());
}
return $path === $parameters['_route'];
return isset($parameters['_route']) && $path === $parameters['_route'];
} catch (MethodNotAllowedException $e) {
return false;
} catch (ResourceNotFoundException $e) {

13
src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php
View File

@ -221,6 +221,19 @@ class HttpUtilsTest extends TestCase
$utils->checkRequestPath($this->getRequest(), 'foobar');
}
public function testCheckPathWithoutRouteParam()
{
$urlMatcher = $this->getMockBuilder('Symfony\Component\Routing\Matcher\UrlMatcherInterface')->getMock();
$urlMatcher
->expects($this->any())
->method('match')
->willReturn(array('_controller' => 'PathController'))
;
$utils = new HttpUtils(null, $urlMatcher);
$this->assertFalse($utils->checkRequestPath($this->getRequest(), 'path/index.html'));
}
/**
* @expectedException \InvalidArgumentException
* @expectedExceptionMessage Matcher must either implement UrlMatcherInterface or RequestMatcherInterface