From 16fc5956091ea0bd83a34763408fd0c0320ebabb Mon Sep 17 00:00:00 2001
From: karstennilsen <karsten@cleverit.nl>
Date: Tue, 14 May 2024 14:03:37 +0200
Subject: [PATCH] [Validator] IBAN Check digits should always between 2 and 98

---
 .../Validator/Constraints/IbanValidator.php          | 12 ++++++++++++
 .../Tests/Constraints/IbanValidatorTest.php          |  6 ++++++
 2 files changed, 18 insertions(+)

diff --git a/src/Symfony/Component/Validator/Constraints/IbanValidator.php b/src/Symfony/Component/Validator/Constraints/IbanValidator.php
index 173cb6678dc0e..423e0099d94c5 100644
--- a/src/Symfony/Component/Validator/Constraints/IbanValidator.php
+++ b/src/Symfony/Component/Validator/Constraints/IbanValidator.php
@@ -228,6 +228,18 @@ public function validate($value, Constraint $constraint)
             return;
         }
 
+        // Check digits should always between 2 and 98
+        // A ECBS document (https://www.ecbs.org/Download/EBS204_V3.PDF) replicates part of the ISO/IEC 7064:2003 standard as a method for generating check digits in the range 02 to 98.
+        $checkDigits = (int) substr($canonicalized, 2, 2);
+        if ($checkDigits < 2 || $checkDigits > 98) {
+            $this->context->buildViolation($constraint->message)
+                ->setParameter('{{ value }}', $this->formatValue($value))
+                ->setCode(Iban::CHECKSUM_FAILED_ERROR)
+                ->addViolation();
+
+            return;
+        }
+
         // Move the first four characters to the end
         // e.g. CH93 0076 2011 6238 5295 7
         //   -> 0076 2011 6238 5295 7 CH93
diff --git a/src/Symfony/Component/Validator/Tests/Constraints/IbanValidatorTest.php b/src/Symfony/Component/Validator/Tests/Constraints/IbanValidatorTest.php
index 70994f509170c..566430079d6b1 100644
--- a/src/Symfony/Component/Validator/Tests/Constraints/IbanValidatorTest.php
+++ b/src/Symfony/Component/Validator/Tests/Constraints/IbanValidatorTest.php
@@ -401,6 +401,12 @@ public static function getIbansWithValidFormatButIncorrectChecksum()
             ['UA213223130000026007233566002'], // Ukraine
             ['AE260211000000230064017'], // United Arab Emirates
             ['VA59001123000012345671'], // Vatican City State
+
+            // Checksum digits not between 02 and 98
+            ['FO00 5432 0388 8999 44'], // Faroe Islands
+            ['NL01INGB0001393698'], // Netherlands
+            ['NL01RABO0331811235'], // Netherlands
+            ['RU99 0445 2560 0407 0281 0412 3456 7890 1'], // Russia
         ];
     }