Issues

ZF-11204: Zend_Controllerr error - parameters in the url

Issue Type: Bug Created: 2011-03-21T12:29:33.000+0000 Last Updated: 2012-06-13T19:47:29.000+0000 Status: Open Fix version(s): Reporter: Rafael Paulino (rafa_corre) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Controller

  • After1.12.0
  • zf-caretaker-adamlundrigan

Related issues: - ZF-10535

Attachments: - ZF-11204.patch

Description

I was testing the security of my site with a scanner and it reported the error "Possible Backup File was found, " that's not what really happens, but Zend reports an error when it is passed in the url of the parameters below:

-controllername (http://framework.zend.com/-index) controllername- (http://framework.zend.com/about-) ~controllername controllername. (http://framework.zend.com/download.) .controllername controllername controllername

The error generated is this: script '-controllername/index.phtml' not found in path

The expected would be an "error 404" but not what happens. How do we arrange this?

Comments

Posted by Adam Lundrigan (adamlundrigan) on 2011-04-30T03:32:02.000+0000

It appears that unwanted characters (such as -) are stripped out of the controller name before dispatch, but ViewRenderer still uses the unfiltered controller name.

I've attached a patch which reproduces a single case of your issue.

Now the question: Would altering the behavior to strip out those unwanted characters from the view script name be considered a BC break?

Posted by Adam Lundrigan (adamlundrigan) on 2012-05-29T17:20:41.000+0000

Could we introduce a two-stage process for determining the view script name, ie: check first for the unfiltered script and if it's not found check for the filtered script name? That should alleviate any possible BC issues.

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts