Router::url should passthru //example.com/file.ext

The function allows ://example.com/file.ext but was treating //example.com as cake-relative URL. The updated regex matches URI schemes as defined in RFC2396. Will passthru any of these formats: * Starts with a valid URI scheme (javascript:, https:, itunes:, ftp:) * Starts with a '#' * [NEW] Starts with a '?' which may be meaningless, but is as valid as starting with '#' (RFC1808) * starts with //, or :// (:// is not technically valid, but included for compatibilty)
cakephp · Jun 21, 2013 · 2fd36bd · 2fd36bd
1 parent cfdac5e
commit 2fd36bd
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/lib/Cake/Routing/Router.php b/lib/Cake/Routing/Router.php
@@ -870,7 +870,7 @@ public static function url($url = null, $full = false) {
 				$output = self::_handleNoRoute($url);
 			}
 		} else {
-			if (preg_match('/:\/\/|^(javascript|mailto|tel|sms):|^\#/i', $url)) {
+			if (preg_match('/^([a-z][a-z0-9.+\-]+:|:?\/\/|[#?])/i', $url)) {
 				return $url;
 			}
 			if (substr($url, 0, 1) === '/') {

diff --git a/lib/Cake/Test/Case/Routing/RouterTest.php b/lib/Cake/Test/Case/Routing/RouterTest.php
@@ -2555,6 +2555,9 @@ public function testUrlProtocol() {
 		$url = '://example.com';
 		$this->assertEquals($url, Router::url($url));
 
+		$url = '//example.com';
+		$this->assertEquals($url, Router::url($url));
+
 		$url = 'javascript:void(0)';
 		$this->assertEquals($url, Router::url($url));
 
@@ -2566,6 +2569,10 @@ public function testUrlProtocol() {
 
 		$url = '#here';
 		$this->assertEquals($url, Router::url($url));
+
+		$url = '?param=0';
+		$this->assertEquals($url, Router::url($url));
+
 		$url = 'posts/index#here';
 		$expected = FULL_BASE_URL . '/posts/index#here';
 		$this->assertEquals($expected, Router::url($url, true));