Issues

ZF-10535: Dispatcher Problem with extraneous characters

Issue Type: Docs: Problem Created: 2010-10-09T04:03:39.000+0000 Last Updated: 2012-05-29T17:35:15.000+0000 Status: Closed Fix version(s): Reporter: Arno Schäfer (arnoschaefer) Assignee: Adam Lundrigan (adamlundrigan) Tags: - Zend_Controller

Related issues: - ZF-11204

Attachments:

Description

I am not sure if this is a bug, but at least it needs to be properly documented.

I just noticed that ZF's standard dispatcher behaves differently from what I would have expected with extraneous characters in the action name such as -/+/.

For example, if I add a dash to the action name, e.g. "/foo/bar-", I do not get a Zend_Controller_Plugin_ErrorHandler::EXCEPTION_NO_ACTION error, but instead, the barAction() method is called, and only afterwards ZF fails with a Zend_View_Exception: 'script 'foo/bar-.phtml' not found in path.

This is apparently due to the method Zend_Controller_Dispatcher_Abstract::_formatName silently stripping out all non-alphanumeric characters.

This is very unexpected and may at least disrupt error handling (resulting e.g. in an 'internal error' instead of 'file not found'), and potentially may have security implications if not properly handled.

  • is this the expected behaviour?
  • is it documented?
  • how can I handle this properly? Do I have to write my own dispatcher (I would rather not)?

Comments

No comments to display

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts