Skip to content

[UrlValidator] Url with curly braces is not correctly validated #58720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ODY90 opened this issue Oct 30, 2024 · 5 comments
Open

[UrlValidator] Url with curly braces is not correctly validated #58720

ODY90 opened this issue Oct 30, 2024 · 5 comments
Labels
Bug Status: Needs Review Status: Waiting feedback Validator

Comments

@ODY90
Copy link

ODY90 commented Oct 30, 2024

Symfony version(s) affected

v7.1.6

Description

Found that correct url processed with error by url validator

$url = 'https://www.google.com/webhp?q={price}'; // valid url

$validator = SymfonyValidation::createValidator();
$constraints = [new Url(relativeProtocol: true, requireTld: false)];
$validator->validate($url, $constraints)->count(); // 1

Seems we need to add curly braces to allowed symbols in regex for query section of url.

How to reproduce

<?php
require_once __DIR__.'/vendor/autoload.php';
use Symfony\Component\Validator\Constraints;

$url = 'https://www.google.com/webhp?q={price}'; // valid url

$validator = SymfonyValidation::createValidator();
$constraints = [new Url(relativeProtocol: true, requireTld: false)];

var_dump($validator->validate($url, $constraints)->count()); //1

Possible Solution

current

(?:\? (?:[\pL\pN\-._\~!$&\'\[\]()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )?   # a query (optional)

added \{\}

(?:\? (?:[\pL\pN\-._\~!$&\'\[\]\{\}()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )?   # a query (optional)

Additional Context

No response
@ODY90 ODY90 added the Bug label Oct 30, 2024
@yuukikuno
Copy link

Hi @ODY90, as far as I'm aware curly brackets are not considered valid in URLs and must be url-encoded (see RFC3986)

@ODY90
Copy link
Author

ODY90 commented Oct 31, 2024

I am not good in RFC's =) But after a quick search, I found nothing regarding curly braces. Moreover, square brackets are in the list of reserved characters, but they are allowed in regular expressions and browsers processed as well.
Latest chrome processed curly braces without encoding. But some difference exist with curl

curl "https://www.google.com/search?q=%7Bprice%7D" -o search1.html

Gives {price} in search field, but

curl "https://www.google.com/search?q={price}" -o search2.html

Gives price in search field
I assume chrome might be cheating and encode somewhere under the hood.

Oh, find more interesting)

curl "https://www.google.com/search?q=[price]" -o search5.html
curl: (3) bad range in URL position 34:
https://www.google.com/search?q=[price]
                                 ^

But

curl -g "https://www.google.com/search?q=[price]" -o search5.html

works well and pass brackets to input, the same with curly braces.
Sorry for long story, but as for me, curly braces is a valid symbol in query part of url.

@carsonbot
Copy link

Hey, thanks for your report!
There has not been a lot of activity here for a while. Is this bug still relevant? Have you managed to find a workaround?

@carsonbot
Copy link

Friendly reminder that this issue exists. If I don't hear anything I'll close this.

@stof
Copy link
Member

stof commented May 15, 2025

Be careful that the curl tool has some special globbing features (the bad range in URL position 34 error comes from that feature), which involves both curly and square brackets (this is why the non-encoded {} around price disappear, as it is treated as a glob alternative with a single choice). You should use the --globoff (short -g) to test how the webserver behaves for them.

I assume chrome might be cheating and encode somewhere under the hood.

That comment looks weird to me. You were testing with curl, not with chrome

@carsonbot carsonbot removed the Stalled label May 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Status: Needs Review Status: Waiting feedback Validator
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@stof @xabbuh @ODY90 @carsonbot @yuukikuno