ZF-11017 - Issues - Zend Framework

ZF-11017: Fix for bug in routing of URLs with encoded slashes

Issue Type:

Bug

Created:

2011-02-01T02:36:00.000+0000

Last Updated:

2011-05-05T13:31:33.000+0000

Status:

Resolved

Fix version(s):

1.11.6 (05/May/11)

Reporter:

Martin Stricker (strickr)

Assignee:

Ralph Schindler (ralph)

Tags:

Zend_Controller

Related issues:

ZF-3527

Attachments:

Description

For the record: This bug is connected to encoded slashes in URLs & I know of the problem / necessity to have {{AllowEncodedSlashes On}} in the Apache configuration.

Problem: After an update to Zend version 1.11.1 (from an earlier version, can't remember which ) I noticed that the framework didn't build correct routes and request parameters anymore if there were encoded slashes ("%2F") in one of the URL parameters (what's between 2 "real" slashes /). Requests which worked previously failed suddenly.

Fix: Remove (comment) line in Zend/Controller/Request/Http.php:626 (in method {{setPathInfo()}}):

Haven't noticed any side effects so far. I would appreciate if this change could be implemented in trunk (or other fix for the problem).

Comments

Posted by Marc Guyer (marcguyer) on 2011-05-03T15:16:14.000+0000

Confirmed this is an issue for me as well. It seems that a symptom may have been fixed in Zend_Rest_Route http://framework.zend.com/issues/browse/ZF-10964. The diff here appears to be the most likely solution: http://framework.zend.com/issues/browse/ZF-3527.

My problem specifically is with double decoding plus (+) signs in params but this would be an issue with any similar character which can be decoded twice with two different results (from %2B to a plus sign to a space).

My 2 cents: I suspect that the root cause is Zend_Controller_Request_Http::setPathInfo() line 626: $requestUri = urldecode($requestUri);. As such, the fix to Zend_Rest_Route would likely need to be rolled back if my suspicion is correct.

Posted by Marc Guyer (marcguyer) on 2011-05-03T16:01:01.000+0000

It turns out that this could actually be a triple urldecode issue when Zend_Controller_Router_Route::match() comes into play and the route contains a wildcard.

It works for me with the diff from ZF-3527 and removing the urldecode from line 240 of Zend_Controller_Router_Route


//$this->_wildcardData[$var] = (isset($path[$i+1])) ? urldecode($path[$i+1]) : null;
$this->_wildcardData[$var] = (isset($path[$i+1])) ? $path[$i+1] : null;

Posted by Ralph Schindler (ralph) on 2011-05-04T17:03:09.000+0000

Potential fix in trunk at r24002 - asking for watchers to test now.

Posted by Martin Stricker (strickr) on 2011-05-04T17:38:30.000+0000

Fix confirmed.

Posted by Ralph Schindler (ralph) on 2011-05-04T17:52:14.000+0000

Fixed in trunk at r24002 Fixed in release branch 1.11 at r24003

Posted by Marc Guyer (marcguyer) on 2011-05-05T13:31:33.000+0000

Confirmed this also fixes the issue of double decodable characters in slashy params.