php/yii2
1
0
Fork 0
mirror of https://github.com/yiisoft/yii2.git synced 2025-11-02 04:37:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Prevent redirection with new line character in the route (#19800)

Browse Source 
* Prevent redirection with new line character in the route

* Remove escape

* Remove import

* Changelog

* Remove \
This commit is contained in:
Bizley
2023-03-31 14:40:31 +02:00
committed by GitHub
parent aa1e4432f1
commit 87f05afb8a
3 changed files with 19 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
framework/CHANGELOG.md
View File

@ -23,6 +23,7 @@ Yii Framework 2 Change Log
- Bug #19735: Fix `yii\validators\NumberValidator` to use programmable message for the value validation (bizley) - Bug #19735: Fix `yii\validators\NumberValidator` to use programmable message for the value validation (bizley)
- Bug #19770: Fix `yii\mutex\MysqlMutex` `keyPrefix` expression param binding (kamarton) - Bug #19770: Fix `yii\mutex\MysqlMutex` `keyPrefix` expression param binding (kamarton)
- Enh #19794: Add caching in `yii\web\Request` for `getUserIP()` and `getSecureForwardedHeaderTrustedParts()` (rhertogh) - Enh #19794: Add caching in `yii\web\Request` for `getUserIP()` and `getSecureForwardedHeaderTrustedParts()` (rhertogh)
- Bug #19795: Fix `yii\web\Response::redirect()` to prevent setting headers with URL containing new line character (bizley)
2.0.47 November 18, 2022 2.0.47 November 18, 2022
------------------------ ------------------------

14
framework/web/Response.php
View File

@ -10,6 +10,7 @@ namespace yii\web;
use Yii; use Yii;
use yii\base\InvalidArgumentException; use yii\base\InvalidArgumentException;
use yii\base\InvalidConfigException; use yii\base\InvalidConfigException;
use yii\base\InvalidRouteException;
use yii\helpers\FileHelper; use yii\helpers\FileHelper;
use yii\helpers\Inflector; use yii\helpers\Inflector;
use yii\helpers\StringHelper; use yii\helpers\StringHelper;
@ -886,12 +887,13 @@ class Response extends \yii\base\Response
} }
$request = Yii::$app->getRequest(); $request = Yii::$app->getRequest();
$normalizedUrl = Url::to($url); $normalizedUrl = Url::to($url);
if ( if ($normalizedUrl !== null) {
$normalizedUrl !== null if (preg_match('/\n/', $normalizedUrl)) {
&& strncmp($normalizedUrl, '/', 1) === 0 throw new InvalidRouteException('Route with new line character detected "' . $normalizedUrl . '".');
&& strncmp($normalizedUrl, '//', 2) !== 0 }
) { if (strncmp($normalizedUrl, '/', 1) === 0 && strncmp($normalizedUrl, '//', 2) !== 0) {
$normalizedUrl = $request->getHostInfo() . $normalizedUrl; $normalizedUrl = $request->getHostInfo() . $normalizedUrl;
}
} }
if ($checkAjax && $request->getIsAjax()) { if ($checkAjax && $request->getIsAjax()) {

10
tests/framework/web/ResponseTest.php
View File

@ -171,6 +171,16 @@ class ResponseTest extends \yiiunit\TestCase
); );
} }
/**
* @see https://github.com/yiisoft/yii2/issues/19795
*/
public function testRedirectNewLine()
{
$this->expectException('yii\base\InvalidRouteException');
$this->response->redirect(urldecode('http://test-domain.com/gql.json;%0aa.html'));
}
/** /**
* @dataProvider dataProviderAjaxRedirectInternetExplorer11 * @dataProvider dataProviderAjaxRedirectInternetExplorer11
*/ */