ZF-12467: Invalid controller name specified into request

Issue Type: Bug Created: 2012-11-14T10:56:26.000+0000 Last Updated: 2012-11-20T19:14:48.000+0000 Status: Closed Fix version(s): Reporter: Jari Turkia (hqjatu) Assignee: Ben Scholzen (dasprid) Tags: - Zend_Controller_Router

Related issues: Attachments:


If user makes a mistake on accidentally enters incorrect controller, it is set into request as-is in Zend_Controller_Router_Rewrite::_setRequestParams(). However, in Zend_Controller_Dispatcher_Abstract::_formatName() there is a preg_replace('/[^a-z0-9 ]/', '') when forming the controller name.

Now, in my code I cannot rely that controller name has been properly filtered, nor what the class name ended up to be!

I'm currently studying the implications of rejecting illegal controller names or alternatively, silently accepting the filtering result.


Posted by Jari Turkia (hqjatu) on 2012-11-14T11:58:20.000+0000

I ended up inheriting my own Controller_Router_Rewrite. The only thing I'm doing there is:

<pre class="literal"> 
     * Set module, controller and action to request
     * Confirm that they are sane
    protected function _setRequestParams($request, $params)
        parent::_setRequestParams($request, $params);

        if (!preg_match('/^[a-z0-9 ]+$/', strtolower($request->getModuleName()))) {
            require_once 'Zend/Controller/Router/Exception.php';
            throw new Zend_Controller_Router_Exception('Badly formatted module: ' . $request->getModuleName(), 412);
        if (!preg_match('/^[a-z0-9 ]+$/', strtolower($request->getControllerName()))) {
            require_once 'Zend/Controller/Router/Exception.php';
            throw new Zend_Controller_Router_Exception('Badly formatted controller: ' . $request->getControllerName(), 412);
        if (!preg_match('/^[a-z0-9 ]+$/', strtolower($request->getActionName()))) {
            require_once 'Zend/Controller/Router/Exception.php';
            throw new Zend_Controller_Router_Exception('Badly formatted action: ' . $request->getActionName(), 412);

Posted by Rob Allen (rob) on 2012-11-16T16:31:38.000+0000

This won't be changed in the core of ZF as extending the class as noted in the comments is a good workaround for anyone who needs this functionality .

Posted by Jari Turkia (hqjatu) on 2012-11-16T19:58:49.000+0000

Let's think this for a second. I'll present a really stupid example, but bear with me.

Assume that somebody using Windows would define a controller in filename PrintglobalspasswordController.php like this:

<pre class="literal">
global $password;
$password = "reallysecret123";

class PrintglobalspasswordController extends Zend_Controller_Action
    public function indexAction()
        $cntr = $this->getRequest()->getControllerName();
        $PrintglobalspasswordController = "not this";
        print eval($cntr);

I'm the first one to state, that if anyone would write such a code, he would be a total dumbass. Also I'd say that the code would not work. But I've seen really wonderful things happen (and written).

You would see some sort of runtime error when accessing:

But guess what happens when user accesses it like this: $GLOBALS["password"];

Yep. You guessed it!

My scenario is really far fetched and very stupid, but the way I run my business, I choose to sanitize user input. Period. Looks like at Zend you really don't care.

That's sad. I really thought that you are professionals there.

Posted by Rob Allen (rob) on 2012-11-20T11:00:29.000+0000

I can't see how this theoretical attack could ever work as if you go to $GLOBALS["password"]; then you get an exception of:

Invalid controller specified (print%20$GLOBALS%5B%22password%22%5D;)

which means that any code in the PrintglobalspasswordController class wouldn't run.

What I'm saying is that I don't think that there's actually a possibly security issue here due to the way the router and dispatcher work. If you have a working proof of concept, please email

Posted by Rob Allen (rob) on 2012-11-20T11:01:21.000+0000

That error is actually:



Posted by Jari Turkia (hqjatu) on 2012-11-20T19:14:48.000+0000

Sir, you're correct. But only if you did not touch routing. Out-of-the-box the only router is a Zend\_Controller\_Router\_Route\_Module which seems to do urlencoding for it's parameters.

In my case app, I don't have the luxury of using solely module-routes. There are a number of Zend\_Controller\_Router\_Route routes which don't sanitize or encode input strings. Which is pretty much my point.



Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.