[Validator] fix URL validator to detect non supported chars according to RFC 3986

e-moe · e-moe · commit 72ce7322aea8 · 2017-03-16T15:44:22.000+02:00
diff --git a/src/Symfony/Component/Validator/Constraints/UrlValidator.php b/src/Symfony/Component/Validator/Constraints/UrlValidator.php
@@ -20,8 +20,8 @@
  */
 class UrlValidator extends ConstraintValidator
 {
-    const PATTERN = '~^
-            (%s)://                                 # protocol
+    const PATTERN = '<^
+            (%protocol%)://                         # protocol
             (([\pL\pN-]+:)?([\pL\pN-]+)@)?          # basic auth
             (
                 ([\pL\pN\pS-\.])+(\.?([\pL\pN]|xn\-\-[\pL\pN-]+)+\.?) # a domain name
@@ -33,8 +33,10 @@ class UrlValidator extends ConstraintValidator
                 \]  # an IPv6 address
             )
             (:[0-9]+)?                              # a port (optional)
-            (/?|/\S+|\?\S*|\#\S*)                   # a /, nothing, a / with something, a query or a fragment
-        $~ixu';
+            (?:/ (?:[\pL\pN\-._~!$&\'()*+,;=:@]|%[0-9A-Fa-f]{2})* )*      # a path
+            (?:\? (?:[\pL\pN\-._~!$&\'()*+,;=:@/?]|%[0-9A-Fa-f]{2})* )?   # a query (optional)
+            (?:\# (?:[\pL\pN\-._~!$&\'()*+,;=:@/?]|%[0-9A-Fa-f]{2})* )?   # a fragment (optional)
+        $>ixu';
 
     /**
      * {@inheritdoc}
@@ -58,7 +60,7 @@ public function validate($value, Constraint $constraint)
             return;
         }
 
-        $pattern = sprintf(static::PATTERN, implode('|', $constraint->protocols));
+        $pattern = str_replace('%protocol%', implode('|', $constraint->protocols), static::PATTERN);
 
         if (!preg_match($pattern, $value)) {
             $this->context->buildViolation($constraint->message)
diff --git a/src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php b/src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php
@@ -163,6 +163,8 @@ public function getInvalidUrls()
             array('http://:password@@symfony.com'),
             array('http://username:passwordsymfony.com'),
             array('http://usern@me:password@symfony.com'),
+            array('http://example.com/exploit.html?<script>alert(1);</script>'),
+            array('http://example.com/exploit.html?hel lo'),
         );
     }
 

Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,8 @@ public function getInvalidUrls()`
`163`	`163`	`array('http://:password@@symfony.com'),`
`164`	`164`	`array('http://username:passwordsymfony.com'),`
`165`	`165`	`array('http://usern@me:password@symfony.com'),`
	`166`	`+ array('http://example.com/exploit.html?<script>alert(1);</script>'),`
	`167`	`+ array('http://example.com/exploit.html?hel lo'),`
`166`	`168`	`);`
`167`	`169`	`}`
`168`	`170`