Security Advisory: ZF2013-01

ZF2013-01: Route Parameter Injection Via Query String in Zend\Mvc

In Zend Framework 2, Zend\Mvc\Router\Http\Query is used primarily to allow appending query strings to URLs when assembled. However, due to the fact that it captures any query parameters into the RouteMatch, and the fact that RouteMatch parameters are merged with any parent routes, this can lead to overriding already captured routing parameters, bypassing constraints defined in the parents.

As an example, consider the following route definition:

    'user' => array(
        'type' => 'segment',
        'options' => array(
            'route' => '/user/:key',
            'defaults' => array(
                'controller' => 'UserController',
                'action'     => 'show-action',
            'constraints' => array(
                'key' => '[a-z0-9]+',
        'child_routes' => array(
            'query' => array('type' => 'query'),

If the request URI was /user/foo/?controller=SecretController&key=invalid_value, the RouteMatch returned after routing would contain the following:

    'controller' => 'SecretController',
    'action'     => 'show-action',
    'key'        => 'invalid_value',

This would lead to execution of a different controller than intended, with a value for the key parameter that bypassed the constraints outlined in the parent route.

Action Taken

Zend Framework 2.1 introduced changes to the router implementation that now allows passing both query string values and fragment values during URI assembly, effectively obsoleting the original use case of the Query route. As an example, you can now do the following:

$url = $router->assemble(array(
    'name' => 'foo',
), array(
    'query' => array(
        'page' => 3,
        'sort' => 'DESC',
    // or: 'query' => 'page=3&sort=DESC'

// via URL helper/plugin:
$rendererOrController->url('foo', array(), array('query' => $request->getQuery()));

As such, for versions 2.0.8 and 2.1.4, we have marked Zend\Mvc\Router\Http\Query deprecated. Additionally, we have modified the code in its match() method to no longer pass the query parameters to the RouteMatch, eliminating the possibility of route parameter injection entirely.


If you are using the Query route in Zend Framework 2, we recommend upgrading to Zend Framework 2.0.8 or 2.1.4 immediately.

Other Information


The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • codemagician for alerting us to the issue
  • Ben Scholzen for providing the solution

Released 2013-03-14

Back to advisories

Have you identified a security vulnerability?

Please report it to us at


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.