Description
The Request class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request class to redirect users to another domain.
Resolution
The Request::create methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.
nicolas-grekas Remediation developer
zer0yu Reporter
Description
The
Requestclass, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on theRequestclass to redirect users to another domain.Resolution
The
Request::createmethods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.