Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

[2.1][Security] Check_path and logout fails on non latin path #5695

Closed
omgnull opened this Issue Oct 8, 2012 · 4 comments

Comments

Projects
None yet
4 participants

omgnull commented Oct 8, 2012

RuntimeException: You must activate the logout in your security firewall configuration

In example:

# app/config/security.yml
security:
    firewalls:
        main:
            form_login:

                # this is ok
                login_path:  /вход 

                # check_path fails
                check_path:  /авторизация
            logout:
                # logout path fails
                path:   /выход 

All this happens because of Symfony\Component\Security\Http\HttpUtils::checkRequestPath request query string not url decoded

    public function checkRequestPath(Request $request, $path)
    {
        if ('/' !== $path[0]) {
            try {
                $parameters = $this->urlMatcher->match($request->getPathInfo());

                return $path === $parameters['_route'];
            } catch (MethodNotAllowedException $e) {
                return false;
            } catch (ResourceNotFoundException $e) {
                return false;
            }
        }

        /**
        * var_dump($request->getPathInfo()) ;
        * var_dump($path);
        * ("/%d0%b2%d1%8b%d1%85%d0%be%d0%b4" === $request->getPathInfo()) true
        * ($path === urldecode($request->getPathInfo())) true
        */
        return $path === $request->getPathInfo();
    }
Member

Tobion commented Oct 8, 2012

Yes, seems right. Will you provide a PR with a test? But please use rawurldecode.

omgnull commented Oct 8, 2012

Yes. Later. Its not critical.

Contributor

dlsniper commented Nov 17, 2012

Hi, is this still a problem given the latest Routing changes? Thanks!

omgnull commented Nov 17, 2012

No, It's still present.

@fabpot fabpot closed this in d6a402a Dec 11, 2012

fabpot added a commit that referenced this issue Dec 11, 2012

Merge branch '2.1'
* 2.1:
  fixed CS
  fixed CS
  [Security] fixed path info encoding (closes #6040, closes #5695)
  [HttpFoundation] added some tests for the previous merge and removed dead code (closes #6037)
  Improved Cache-Control header when no-cache is sent
  removed unneeded comment
  Fix to allow null values in labels array
  fix date in changelog
  removed the Travis icon (as this is not stable enough -- many false positive, closes #6186)
  Revert "merged branch gajdaw/finder_splfileinfo_fpassthu (PR #4751)" (closes #6224)
  Fixed a typo
  Fixed: HeaderBag::parseCacheControl() not parsing quoted zero correctly
  [Form] Fix const inside an anonymous function
  [Config] Loader::import must return imported data
  [DoctrineBridge] Fixed caching in DoctrineType when "choices" or "preferred_choices" is passed
  [Form] Fixed the default value of "format" in DateType to DateType::DEFAULT_FORMAT if "widget" is not "single_text"
  [HttpFoundation] fixed a small regression

Conflicts:
	src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/MongoDbSessionHandlerTest.php
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment