Skip to content

Commit

Permalink
bug #36286 [Validator] Allow URL-encoded special characters in basic …
Browse files Browse the repository at this point in the history 
…auth part of URLs (cweiske)

This PR was submitted for the master branch but it was merged into the 3.4 branch instead.

Discussion
----------

[Validator] Allow URL-encoded special characters in basic auth part of URLs

| Q             | A
| ------------- | ---
| Branch?       | 5.0
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #36285
| License       | MIT

Special characters in HTTP Basic Auth passwords in an URL need to be url-encoded.

Example: `foo@bar` becomes `foo%40bar`, in an URL: `http://user:foo%40bar@example.org`

The UrlValidator did not allow percent signs in username and password, and this is changed now.

Commits
-------

8a56c50 Allow URL-encoded special characters in basic auth part of URLs
  • Loading branch information
@fabpot
fabpot committed Apr 4, 2020
2 parents 6dbf9eb + 8a56c50 commit 6254cdb
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
2 changes: 1 addition & 1 deletion src/Symfony/Component/Validator/Constraints/UrlValidator.php
View file
Expand Up @@ -23,7 +23,7 @@ class UrlValidator extends ConstraintValidator
{
const PATTERN = '~^
(%s):// # protocol
(([\_\.\pL\pN-]+:)?([\_\.\pL\pN-]+)@)? # basic auth
(((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+:)?((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+)@)? # basic auth
(
([\pL\pN\pS\-\_\.])+(\.?([\pL\pN]|xn\-\-[\pL\pN-]+)+\.?) # a domain name
| # or
Expand Down
4 changes: 4 additions & 0 deletions src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php
View file
Expand Up @@ -122,6 +122,8 @@ public function getValidUrls()
['http://user.name:pass.word@symfony.com'],
['http://user-name@symfony.com'],
['http://user_name@symfony.com'],
['http://u%24er:password@symfony.com'],
['http://user:pa%24%24word@symfony.com'],
['http://symfony.com?'],
['http://symfony.com?query=1'],
['http://symfony.com/?query=1'],
Expand Down Expand Up @@ -168,6 +170,8 @@ public function getInvalidUrls()
['http://:password@@symfony.com'],
['http://username:passwordsymfony.com'],
['http://usern@me:password@symfony.com'],
['http://nota%hex:password@symfony.com'],
['http://username:nota%hex@symfony.com'],
['http://example.com/exploit.html?<script>alert(1);</script>'],
['http://example.com/exploit.html?hel lo'],
['http://example.com/exploit.html?not_a%hex'],
Expand Down

0 comments on commit 6254cdb

Please sign in to comment.