merged branch Tobion/apache-pathinfo (PR #7656)
This PR was merged into the 2.1 branch.
Discussion
----------
[HttpFoundation] do not use server variable PATH_INFO
because it is already decoded (see http://www.ietf.org/rfc/rfc3875) and thus symfony is fragile to double encoding of the path. This is not really a security issue (in contrast to a [previous problem](http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released)) but when using the apacherequest, one could access pages with double encoded characters although the path should not match.
BC break: no
tests pass: yes
Commits
-------
d552e4c
[HttpFoundation] do not use server variable PATH_INFO because it is already decoded and thus symfony is fragile to double encoding of the path
This commit is contained in:
commit
ff56a9e8a3
@ -40,12 +40,4 @@ class ApacheRequest extends Request
|
|||||||
|
|
||||||
return $baseUrl;
|
return $baseUrl;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* {@inheritdoc}
|
|
||||||
*/
|
|
||||||
protected function preparePathInfo()
|
|
||||||
{
|
|
||||||
return $this->server->get('PATH_INFO') ?: substr($this->prepareRequestUri(), strlen($this->prepareBaseUrl())) ?: '/';
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user