ZF-11017: Fix for bug in routing of URLs with encoded slashes


For the record: This bug is connected to encoded slashes in URLs & I know of the problem / necessity to have {{AllowEncodedSlashes On}} in the Apache configuration.

Problem: After an update to Zend version 1.11.1 (from an earlier version, can't remember which ) I noticed that the framework didn't build correct routes and request parameters anymore if there were encoded slashes ("%2F") in one of the URL parameters (what's between 2 "real" slashes /). Requests which worked previously failed suddenly.

Fix: Remove (comment) line in Zend/Controller/Request/Http.php:626 (in method {{setPathInfo()}}):

{{// $requestUri = urldecode($requestUri);}}

Haven't noticed any side effects so far. I would appreciate if this change could be implemented in trunk (or other fix for the problem).


Confirmed this is an issue for me as well. It seems that a symptom may have been fixed in Zend_Rest_Route The diff here appears to be the most likely solution:

My problem specifically is with double decoding plus (+) signs in params but this would be an issue with any similar character which can be decoded twice with two different results (from %2B to a plus sign to a space).

My 2 cents: I suspect that the root cause is Zend_Controller_Request_Http::setPathInfo() line 626: $requestUri = urldecode($requestUri);. As such, the fix to Zend_Rest_Route would likely need to be rolled back if my suspicion is correct.

It turns out that this could actually be a triple urldecode issue when Zend_Controller_Router_Route::match() comes into play and the route contains a wildcard.

It works for me with the diff from ZF-3527 and removing the urldecode from line 240 of Zend_Controller_Router_Route

//$this->_wildcardData[$var] = (isset($path[$i+1])) ? urldecode($path[$i+1]) : null;
$this->_wildcardData[$var] = (isset($path[$i+1])) ? $path[$i+1] : null;

Potential fix in trunk at r24002 - asking for watchers to test now.

Fix confirmed.

Fixed in trunk at r24002 Fixed in release branch 1.11 at r24003

Confirmed this also fixes the issue of double decodable characters in slashy params.