ZF-11017: Fix for bug in routing of URLs with encoded slashes

Issue Type: Bug Created: 2011-02-01T02:36:00.000+0000 Last Updated: 2011-05-05T13:31:33.000+0000 Status: Resolved Fix version(s): - 1.11.6 (05/May/11)

Reporter: Martin Stricker (strickr) Assignee: Ralph Schindler (ralph) Tags: - Zend_Controller

Related issues: - ZF-3527



For the record: This bug is connected to encoded slashes in URLs & I know of the problem / necessity to have AllowEncodedSlashes On in the Apache configuration.

Problem: After an update to Zend version 1.11.1 (from an earlier version, can't remember which ) I noticed that the framework didn't build correct routes and request parameters anymore if there were encoded slashes ("%2F") in one of the URL parameters (what's between 2 "real" slashes /). Requests which worked previously failed suddenly.

Fix: Remove (comment) line in Zend/Controller/Request/Http.php:626 (in method setPathInfo()):

// $requestUri = urldecode($requestUri);

Haven't noticed any side effects so far. I would appreciate if this change could be implemented in trunk (or other fix for the problem).


Posted by Marc Guyer (marcguyer) on 2011-05-03T15:16:14.000+0000

Confirmed this is an issue for me as well. It seems that a symptom may have been fixed in Zend_Rest_Route The diff here appears to be the most likely solution:

My problem specifically is with double decoding plus (+) signs in params but this would be an issue with any similar character which can be decoded twice with two different results (from %2B to a plus sign to a space).

My 2 cents: I suspect that the root cause is Zend_Controller_Request_Http::setPathInfo() line 626: $requestUri = urldecode($requestUri);. As such, the fix to Zend_Rest_Route would likely need to be rolled back if my suspicion is correct.

Posted by Marc Guyer (marcguyer) on 2011-05-03T16:01:01.000+0000

It turns out that this could actually be a triple urldecode issue when Zend_Controller_Router_Route::match() comes into play and the route contains a wildcard.

It works for me with the diff from ZF-3527 and removing the urldecode from line 240 of Zend_Controller_Router_Route

<pre class="highlight">
//$this->_wildcardData[$var] = (isset($path[$i+1])) ? urldecode($path[$i+1]) : null;
$this->_wildcardData[$var] = (isset($path[$i+1])) ? $path[$i+1] : null;

Posted by Ralph Schindler (ralph) on 2011-05-04T17:03:09.000+0000

Potential fix in trunk at r24002 - asking for watchers to test now.

Posted by Martin Stricker (strickr) on 2011-05-04T17:38:30.000+0000

Fix confirmed.

Posted by Ralph Schindler (ralph) on 2011-05-04T17:52:14.000+0000

Fixed in trunk at r24002 Fixed in release branch 1.11 at r24003

Posted by Marc Guyer (marcguyer) on 2011-05-05T13:31:33.000+0000

Confirmed this also fixes the issue of double decodable characters in slashy params.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.