Permalink
Browse files

Fix issues #388 & #705

(thanks to @sourcejedi, PR #1326 for pointing inconsistencies with RFC2616
  • Loading branch information...
1 parent 0bae250 commit 9dd2dbb8b9a3edecddcb3907b65a402fd1ae71b4 @narfbg narfbg committed Oct 31, 2012
Showing with 7 additions and 5 deletions.
  1. +5 −4 system/core/URI.php
  2. +2 −1 user_guide_src/source/changelog.rst
View
@@ -188,7 +188,7 @@ protected function _parse_request_uri()
$uri = parse_url($_SERVER['REQUEST_URI']);
$query = isset($uri['query']) ? $uri['query'] : '';
- $uri = isset($uri['path']) ? $uri['path'] : '';
+ $uri = isset($uri['path']) ? rawurldecode($uri['path']) : '';
if (strpos($uri, $_SERVER['SCRIPT_NAME']) === 0)
{
@@ -204,7 +204,7 @@ protected function _parse_request_uri()
if (trim($uri, '/') === '' && strncmp($query, '/', 1) === 0)
{
$query = explode('?', $query, 2);
- $uri = $query[0];
+ $uri = rawurldecode($query[0]);
$_SERVER['QUERY_STRING'] = isset($query[1]) ? $query[1] : '';
}
else
@@ -245,8 +245,9 @@ protected function _parse_query_string()
{
$uri = explode('?', $uri, 2);
$_SERVER['QUERY_STRING'] = isset($uri[1]) ? $uri[1] : '';
- $uri = $uri[0];
+ $uri = rawurldecode($uri[0]);
}
+
$this->_reset_query_string();
return str_replace(array('//', '../'), '/', trim($uri, '/'));
@@ -325,7 +326,7 @@ public function _filter_uri($str)
{
// preg_quote() in PHP 5.3 escapes -, so the str_replace() and addition of - to preg_quote() is to maintain backwards
// compatibility as many are unaware of how characters in the permitted_uri_chars will be parsed as a regex pattern
- if ( ! preg_match('|^['.str_replace(array('\\-', '\-'), '-', preg_quote($this->config->item('permitted_uri_chars'), '-')).']+$|i', urldecode($str)))
+ if ( ! preg_match('|^['.str_replace(array('\\-', '\-'), '-', preg_quote($this->config->item('permitted_uri_chars'), '|')).']+$|i', $str))
{
show_error('The URI you submitted has disallowed characters.', 400);
}
@@ -406,7 +406,8 @@ Bug fixes for 3.0
- Fixed a bug (#142) - :doc:`Form Helper <helpers/form_helper>` function ``form_dropdown()`` didn't escape HTML entities in option values.
- Fixed a bug (#50) - :doc:`Session Library <libraries/sessions>` unnecessarily stripped slashed from serialized data, making it impossible to read objects in a namespace.
- Fixed a bug (#658) - :doc:`Routing <general/routing>` wildcard **:any** didn't work as advertised and matched multiple URI segments instead of all characters within a single segment.
-- Fixed a bug (#1938) - :doc:`Email <libraries/email>` where the email library removed multiple spaces inside a pre-formatted plain text message.
+- Fixed a bug (#1938) - :doc:`Email Library <libraries/email>` removed multiple spaces inside a pre-formatted plain text message.
+- Fixed a bug (#388, #705) - :doc:`URI Library <libraries/uri>` didn't apply URL-decoding to URI segments that it got from **REQUEST_URI** and/or **QUERY_STRING**.
Version 2.1.3
=============

1 comment on commit 9dd2dbb

Contributor

sourcejedi commented on 9dd2dbb Oct 31, 2012

Nice! Simple and powerful.

You went for a slightly different approach than I did. I was thinking QUERY_STRING should always be decoded first, so we would accept something like

index.php?controller/method%3fparam=value

But I prefer your code here - so I looked at RFC3986, and I think your approach is actually fine.

Please sign in to comment.