Issue Type: Bug Created: 2011-02-01T02:36:00.000+0000 Last Updated: 2011-05-05T13:31:33.000+0000 Status: Resolved Fix version(s): - 1.11.6 (05/May/11)
Reporter: Martin Stricker (strickr) Assignee: Ralph Schindler (ralph) Tags: - Zend_Controller
Related issues: - ZF-3527
For the record: This bug is connected to encoded slashes in URLs & I know of the problem / necessity to have AllowEncodedSlashes On in the Apache configuration.
Problem: After an update to Zend version 1.11.1 (from an earlier version, can't remember which ) I noticed that the framework didn't build correct routes and request parameters anymore if there were encoded slashes ("%2F") in one of the URL parameters (what's between 2 "real" slashes /). Requests which worked previously failed suddenly.
Fix: Remove (comment) line in Zend/Controller/Request/Http.php:626 (in method setPathInfo()):
// $requestUri = urldecode($requestUri);
Haven't noticed any side effects so far. I would appreciate if this change could be implemented in trunk (or other fix for the problem).
Posted by Marc Guyer (marcguyer) on 2011-05-03T15:16:14.000+0000
Confirmed this is an issue for me as well. It seems that a symptom may have been fixed in Zend_Rest_Route http://framework.zend.com/issues/browse/ZF-10964. The diff here appears to be the most likely solution: http://framework.zend.com/issues/browse/ZF-3527.
My problem specifically is with double decoding plus (+) signs in params but this would be an issue with any similar character which can be decoded twice with two different results (from %2B to a plus sign to a space).
My 2 cents: I suspect that the root cause is Zend_Controller_Request_Http::setPathInfo() line 626: $requestUri = urldecode($requestUri);. As such, the fix to Zend_Rest_Route would likely need to be rolled back if my suspicion is correct.
Posted by Marc Guyer (marcguyer) on 2011-05-03T16:01:01.000+0000
It turns out that this could actually be a triple urldecode issue when Zend_Controller_Router_Route::match() comes into play and the route contains a wildcard.
It works for me with the diff from ZF-3527 and removing the urldecode from line 240 of Zend_Controller_Router_Route
<pre class="highlight"> //$this->_wildcardData[$var] = (isset($path[$i+1])) ? urldecode($path[$i+1]) : null; $this->_wildcardData[$var] = (isset($path[$i+1])) ? $path[$i+1] : null;
Posted by Ralph Schindler (ralph) on 2011-05-04T17:03:09.000+0000
Potential fix in trunk at r24002 - asking for watchers to test now.
Posted by Martin Stricker (strickr) on 2011-05-04T17:38:30.000+0000
Posted by Ralph Schindler (ralph) on 2011-05-04T17:52:14.000+0000
Fixed in trunk at r24002 Fixed in release branch 1.11 at r24003
Posted by Marc Guyer (marcguyer) on 2011-05-05T13:31:33.000+0000
Confirmed this also fixes the issue of double decodable characters in slashy params.
Have you found an issue?
See the Overview section for more details.