Bug #42511
"Uri" constructor silently accepts unparsable Uri strings
| Status: | Resolved | Start date: | 2012-10-30 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assigned To: | Adrian Föder | % Done: | 100% |
|
| Category: | Http | |||
| Target version: | TYPO3 Flow Base Distribution - 2.0 | |||
| PHP Version: | Complexity: | |||
| Has patch: | No | Affected Flow version: | Git 1.2 (master) |
Description
The Uri::__construct() method basically relies on the parse_url() method. As of PHP documentation, http://de3.php.net/manual/en/function.parse-url.php, Changelog,
5.3.3 Removed the E_WARNING that was emitted when URL parsing failed.
So the constructor's code can, dependent of the PHP version in use, either throw a Warning exception or silently do nothing but let the Uri object be created since there is no other check:
1 public function __construct($uriString) {
2 if (!is_string($uriString)) throw new \InvalidArgumentException('The URI must be a valid string.', 1176550571);
3
4 $uriParts = parse_url($uriString);
5 if (is_array($uriParts)) {
6 $this->scheme = isset($uriParts['scheme']) ? $uriParts['scheme'] : NULL;
7 $this->username = isset($uriParts['user']) ? $uriParts['user'] : NULL;
8 $this->password = isset($uriParts['pass']) ? $uriParts['pass'] : NULL;
9 $this->host = isset($uriParts['host']) ? $uriParts['host'] : NULL;
10 $this->port = isset($uriParts['port']) ? $uriParts['port'] : NULL;
11 $this->path = isset($uriParts['path']) ? $uriParts['path'] : NULL;
12 if (isset($uriParts['query'])) {
13 $this->setQuery ($uriParts['query']);
14 }
15 $this->fragment = isset($uriParts['fragment']) ? $uriParts['fragment'] : NULL;
16 }
17 }
I recommend to catch the Warning, if any, and throw an exception if parse_url returned FALSE (or is not an array, i.e. the else-block of the if().
Related issues
Associated revisions
[!!!][BUGFIX] Http\Uri constructor throws exception on invalid Uri
The constructor of the Uri object now checks the return value
of the parse_url method and throws an exception if this returns
anything else than a valuable array, because in this case the
given Uri is considered seriously malformed.
This is considered breaking because prior to this change,
the Uri just silently was created with all empty values.
Change-Id: I54c3c82e60c53ebad7dcf43ecd7e7f7044831668
Fixes: #42511
Releases: 1.1, 1.2
[!!!][BUGFIX] Http\Uri constructor throws exception on invalid Uri
The constructor of the Uri object now checks the return value
of the parse_url method and throws an exception if this returns
anything else than a valuable array, because in this case the
given Uri is considered seriously malformed.
This is considered breaking because prior to this change,
the Uri just silently was created with all empty values.
Change-Id: I54c3c82e60c53ebad7dcf43ecd7e7f7044831668
Fixes: #42511
Releases: 1.1, 1.2
History
#1 Updated by Gerrit Code Review almost 3 years ago
- Status changed from New to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/16035
#2 Updated by Adrian Föder over 2 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 1b03b89c9a61c5a8066544929a9be590eb3521b3.
#3 Updated by Gerrit Code Review over 2 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch FLOW3-1.1 has been pushed to the review server.
It is available at https://review.typo3.org/17082
#4 Updated by Gerrit Code Review over 2 years ago
Patch set 2 for branch FLOW3-1.1 has been pushed to the review server.
It is available at https://review.typo3.org/17082
#5 Updated by Karsten Dambekalns over 2 years ago
- Status changed from Under Review to Resolved