Issue Type: Bug Created: 2011-03-21T12:29:33.000+0000 Last Updated: 2012-06-13T19:47:29.000+0000 Status: Open Fix version(s): Reporter: Rafael Paulino (rafa_corre) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Controller
Related issues: - ZF-10535
Attachments: - ZF-11204.patch
I was testing the security of my site with a scanner and it reported the error "Possible Backup File was found, " that's not what really happens, but Zend reports an error when it is passed in the url of the parameters below:
-controllername (http://framework.zend.com/-index) controllername- (http://framework.zend.com/about-) ~controllername controllername. (http://framework.zend.com/download.) .controllername controllername controllername
The error generated is this: script '-controllername/index.phtml' not found in path
The expected would be an "error 404" but not what happens. How do we arrange this?
Posted by Adam Lundrigan (adamlundrigan) on 2011-04-30T03:32:02.000+0000
It appears that unwanted characters (such as -) are stripped out of the controller name before dispatch, but ViewRenderer still uses the unfiltered controller name.
I've attached a patch which reproduces a single case of your issue.
Now the question: Would altering the behavior to strip out those unwanted characters from the view script name be considered a BC break?
Posted by Adam Lundrigan (adamlundrigan) on 2012-05-29T17:20:41.000+0000
Could we introduce a two-stage process for determining the view script name, ie: check first for the unfiltered script and if it's not found check for the filtered script name? That should alleviate any possible BC issues.
Have you found an issue?
See the Overview section for more details.