ZF-10535: Dispatcher Problem with extraneous characters

Description

I am not sure if this is a bug, but at least it needs to be properly documented.

I just noticed that ZF's standard dispatcher behaves differently from what I would have expected with extraneous characters in the action name such as -/+/.

For example, if I add a dash to the action name, e.g. "/foo/bar-", I do not get a Zend_Controller_Plugin_ErrorHandler::EXCEPTION_NO_ACTION error, but instead, the barAction() method is called, and only afterwards ZF fails with a Zend_View_Exception: 'script 'foo/bar-.phtml' not found in path.

This is apparently due to the method Zend_Controller_Dispatcher_Abstract::_formatName silently stripping out all non-alphanumeric characters.

This is very unexpected and may at least disrupt error handling (resulting e.g. in an 'internal error' instead of 'file not found'), and potentially may have security implications if not properly handled.

  • is this the expected behaviour?
  • is it documented?
  • how can I handle this properly? Do I have to write my own dispatcher (I would rather not)?

Comments

No comments to display