Issues

ZF-11204: Zend_Controllerr error - parameters in the url

Description

I was testing the security of my site with a scanner and it reported the error "Possible Backup File was found, " that's not what really happens, but Zend reports an error when it is passed in the url of the parameters below:

-controllername (http://framework.zend.com/-index) controllername- (http://framework.zend.com/about-) ~controllername controllername. (http://framework.zend.com/download.) .controllername controllername controllername

The error generated is this: script '-controllername/index.phtml' not found in path

The expected would be an "error 404" but not what happens. How do we arrange this?

Comments

It appears that unwanted characters (such as -) are stripped out of the controller name before dispatch, but ViewRenderer still uses the unfiltered controller name.

I've attached a patch which reproduces a single case of your issue.

Now the question: Would altering the behavior to strip out those unwanted characters from the view script name be considered a BC break?

Could we introduce a two-stage process for determining the view script name, ie: check first for the unfiltered script and if it's not found check for the filtered script name? That should alleviate any possible BC issues.