[FrameworkBundle] Detect indirect env vars in routing

symfony · Aug 5, 2019 · ceaa1b3 · ceaa1b3
1 parent f0c6669
commit ceaa1b3
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 4 deletions.
diff --git a/src/Symfony/Bundle/FrameworkBundle/Routing/Router.php b/src/Symfony/Bundle/FrameworkBundle/Routing/Router.php
@@ -147,7 +147,7 @@ private function resolve($value)
                 return '%%';
             }
 
-            if (preg_match('/^env\(\w+\)$/', $match[1])) {
+            if (preg_match('/^env\((?:\w++:)*+\w++\)$/', $match[1])) {
                 throw new RuntimeException(sprintf('Using "%%%s%%" is not allowed in routing configuration.', $match[1]));
             }
 
@@ -156,7 +156,7 @@ private function resolve($value)
             if (\is_string($resolved) || is_numeric($resolved)) {
                 $this->collectedParameters[$match[1]] = $resolved;
 
-                return (string) $resolved;
+                return (string) $this->resolve($resolved);
             }
 
             throw new RuntimeException(sprintf('The container parameter "%s", used in the route configuration value "%s", must be a string or numeric, but it is of type %s.', $match[1], $value, \gettype($resolved)));

diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/Routing/RouterTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/Routing/RouterTest.php
@@ -14,6 +14,7 @@
 use PHPUnit\Framework\TestCase;
 use Symfony\Bundle\FrameworkBundle\Routing\Router;
 use Symfony\Component\DependencyInjection\Config\ContainerParametersResource;
+use Symfony\Component\DependencyInjection\Exception\RuntimeException;
 use Symfony\Component\Routing\Route;
 use Symfony\Component\Routing\RouteCollection;
 
@@ -122,13 +123,13 @@ public function testPatternPlaceholders()
         $routes->add('foo', new Route('/before/%parameter.foo%/after/%%escaped%%'));
 
         $sc = $this->getServiceContainer($routes);
-        $sc->setParameter('parameter.foo', 'foo');
+        $sc->setParameter('parameter.foo', 'foo-%%escaped%%');
 
         $router = new Router($sc, 'foo');
         $route = $router->getRouteCollection()->get('foo');
 
         $this->assertEquals(
-            '/before/foo/after/%escaped%',
+            '/before/foo-%escaped%/after/%escaped%',
             $route->getPath()
         );
     }
@@ -147,6 +148,22 @@ public function testEnvPlaceholders()
         $router->getRouteCollection();
     }
 
+    public function testIndirectEnvPlaceholders()
+    {
+        $routes = new RouteCollection();
+
+        $routes->add('foo', new Route('/%foo%'));
+
+        $router = new Router($container = $this->getServiceContainer($routes), 'foo');
+        $container->setParameter('foo', 'foo-%bar%');
+        $container->setParameter('bar', '%env(string:FOO)%');
+
+        $this->expectException(RuntimeException::class);
+        $this->expectExceptionMessage('Using "%env(string:FOO)%" is not allowed in routing configuration.');
+
+        $router->getRouteCollection();
+    }
+
     public function testHostPlaceholders()
     {
         $routes = new RouteCollection();