Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #3489329 by mfb, casey: symfony/http-foundation commit 32310ff breaks PathValidator 

(cherry picked from commit 90ab4e3da1)
merge-requests/10437/head
Lee Rowlands 2024-11-27 16:04:08 +10:00
parent 0aeedd16e5
commit 252448a006
No known key found for this signature in database
GPG Key ID: 2B829A3DF9204DC4
2 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
core/lib/Drupal/Core/Path/PathValidator.php
View File

@ -10,6 +10,7 @@ use Drupal\Core\Routing\RequestContext;
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\Url;
use Drupal\Core\Routing\RouteObjectInterface;
use Symfony\Component\HttpFoundation\Exception\BadRequestException;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\Routing\Exception\MethodNotAllowedException;
@ -118,7 +119,12 @@ class PathValidator implements PathValidatorInterface {
return Url::fromUri($path);
}
$request = Request::create('/' . $path);
try {
$request = Request::create('/' . $path);
}
catch (BadRequestException) {
return FALSE;
}
$attributes = $this->getPathAttributes($path, $request, $access_check);
if (!$attributes) {
@ -172,6 +178,9 @@ class PathValidator implements PathValidatorInterface {
catch (MethodNotAllowedException $e) {
$result = FALSE;
}
catch (BadRequestException) {
$result = FALSE;
}
$router->setContext($initial_request_context);
return $result;

16
core/tests/Drupal/Tests/Core/Path/PathValidatorTest.php
View File

@ -444,4 +444,20 @@ class PathValidatorTest extends UnitTestCase {
$this->assertEquals(['key' => 'value'], $url->getRouteParameters());
}
/**
* Tests the getUrlIfValidWithoutAccessCheck() method with an invalid path.
*
* @covers ::getUrlIfValidWithoutAccessCheck
* @covers ::getUrl
*/
public function testGetUrlIfValidWithoutAccessCheckWithInvalidPath(): void {
// URLs must not start nor end with ASCII control characters or spaces.
$this->assertFalse($this->pathValidator->getUrlIfValidWithoutAccessCheck('foo '));
// Also check URL-encoded variant.
$this->pathProcessor->expects($this->once())
->method('processInbound')
->willReturnArgument(0);
$this->assertFalse($this->pathValidator->getUrlIfValidWithoutAccessCheck('foo%20'));
}
}