fix: Filters does not decode URI path

kenjis · kenjis · commit 8745b20dbd9b · 2024-03-29T11:18:17.000+09:00
Router does decode it, so Filters also should decode.
diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php
@@ -449,6 +449,7 @@ protected function handleRequest(?RouteCollectionInterface $routes, Cache $cache
 
         $routeFilter = $this->tryToRouteIt($routes);
 
+        // $uri is URL-encoded.
         $uri = $this->determinePath();
 
         if ($this->enableFilters) {
@@ -813,6 +814,7 @@ protected function tryToRouteIt(?RouteCollectionInterface $routes = null)
         // $routes is defined in Config/Routes.php
         $this->router = Services::router($routes, $this->request);
 
+        // $path is URL-encoded.
         $path = $this->determinePath();
 
         $this->benchmark->stop('bootstrap');
diff --git a/system/Filters/Filters.php b/system/Filters/Filters.php
@@ -245,6 +245,9 @@ public function initialize(?string $uri = null)
             return $this;
         }
 
+        // Decode URL-encoded string
+        $uri = urldecode($uri);
+
         $this->processGlobals($uri);
         $this->processMethods();
         $this->processFilters($uri);
@@ -639,7 +642,7 @@ private function checkExcept(string $uri, $paths): bool
     /**
      * Check the URI path as pseudo-regex
      *
-     * @param string $uri   URI path relative to baseURL (all lowercase)
+     * @param string $uri   URI path relative to baseURL (all lowercase, URL-decoded)
      * @param array  $paths The except path patterns
      */
     private function checkPseudoRegex(string $uri, array $paths): bool
@@ -652,7 +655,7 @@ private function checkPseudoRegex(string $uri, array $paths): bool
             $path = strtolower(str_replace('*', '.*', $path));
 
             // Does this rule apply here?
-            if (preg_match('#^' . $path . '$#', $uri, $match) === 1) {
+            if (preg_match('#\A' . $path . '\z#u', $uri, $match) === 1) {
                 return true;
             }
         }
diff --git a/tests/system/Filters/FiltersTest.php b/tests/system/Filters/FiltersTest.php
@@ -1056,6 +1056,52 @@ public function testMatchesURICaseInsensitively(): void
         $this->assertSame($expected, $filters->initialize($uri)->getFilters());
     }
 
+    public function testMatchesURIWithUnicode(): void
+    {
+        $_SERVER['REQUEST_METHOD'] = 'GET';
+
+        $config = [
+            'aliases' => [
+                'foo'  => '',
+                'bar'  => '',
+                'frak' => '',
+                'baz'  => '',
+            ],
+            'globals' => [
+                'before' => [
+                    'foo' => ['except' => '日本語/*'],
+                    'bar',
+                ],
+                'after' => [
+                    'foo' => ['except' => '日本語/*'],
+                    'baz',
+                ],
+            ],
+            'filters' => [
+                'frak' => [
+                    'before' => ['日本語/*'],
+                    'after'  => ['日本語/*'],
+                ],
+            ],
+        ];
+        $filtersConfig = $this->createConfigFromArray(FiltersConfig::class, $config);
+        $filters       = $this->createFilters($filtersConfig);
+
+        // URIs passed to Filters are URL-encoded.
+        $uri      = '%E6%97%A5%E6%9C%AC%E8%AA%9E/foo/bar';
+        $expected = [
+            'before' => [
+                'bar',
+                'frak',
+            ],
+            'after' => [
+                'baz',
+                'frak',
+            ],
+        ];
+        $this->assertSame($expected, $filters->initialize($uri)->getFilters());
+    }
+
     /**
      * @see https://github.com/codeigniter4/CodeIgniter4/issues/1907
      */
diff --git a/user_guide_src/source/changelogs/v4.4.7.rst b/user_guide_src/source/changelogs/v4.4.7.rst
@@ -21,6 +21,8 @@ SECURITY
   strings has been added. This check is equivalent to the URI Security found in
   CodeIgniter 3. This is enabled by default, but upgraded users need to add
   a setting to enable it. See :ref:`urls-uri-security` for details.
+- **Filters:** A bug where URI paths processed by Filters were not URL-decoded
+  has been fixed. See :ref:`upgrade-447-filter-paths` for details.
 
 ********
 BREAKING
diff --git a/user_guide_src/source/incoming/filters.rst b/user_guide_src/source/incoming/filters.rst
@@ -140,6 +140,11 @@ an array with the ``except`` key and a URI path (relative to BaseURL) to match a
 
 .. literalinclude:: filters/006.php
 
+.. Warning:: Prior to v4.4.7, due to a bug, the URI paths processed by the filter
+    were not URL-decoded. In other words, the URI paths specified in the routing
+    and the URI paths specified in the filter could be different.
+    See :ref:`upgrade-447-filter-paths` for details.
+
 Any place you can use a URI path (relative to BaseURL) in the filter settings, you can use a regular expression or, like in this example, use
 an asterisk (``*``) for a wildcard that will match all characters after that. In this example, any URI path starting with ``api/``
 would be exempted from CSRF protection, but the site's forms would all be protected.
@@ -175,6 +180,11 @@ a list of URI path (relative to BaseURL) patterns that filter should apply to:
 
 .. literalinclude:: filters/009.php
 
+.. Warning:: Prior to v4.4.7, due to a bug, the URI paths processed by the filter
+    were not URL-decoded. In other words, the URI paths specified in the routing
+    and the URI paths specified in the filter could be different.
+    See :ref:`upgrade-447-filter-paths` for details.
+
 .. _filters-filters-filter-arguments:
 
 Filter Arguments
diff --git a/user_guide_src/source/installation/upgrade_447.rst b/user_guide_src/source/installation/upgrade_447.rst
@@ -40,6 +40,40 @@ The error page has been updated. Please update the following files:
 Breaking Changes
 ****************
 
+.. _upgrade-447-filter-paths:
+
+Paths in Controller Filters
+===========================
+
+A bug where URI paths processed by :doc:`../incoming/filters` were not URL-decoded has been fixed.
+
+.. note:: Note that :doc:`Router <../incoming/routing>` processes URL-decoded URI paths.
+
+``Config\Filters`` has some places to specify the URI paths. If the paths have
+different values when URL-decoded, change them to the URL-decoded values.
+
+E.g.,:
+
+.. code-block:: php
+
+    public array $globals = [
+        'before' => [
+            'csrf' => ['except' => '%E6%97%A5%E6%9C%AC%E8%AA%9E/*'],
+        ],
+        // ...
+    ];
+
+↓
+
+.. code-block:: php
+
+    public array $globals = [
+        'before' => [
+            'csrf' => ['except' => '日本語/*'],
+        ],
+        // ...
+    ];
+
 Time::difference() and DST
 ==========================
 

Original file line number	Diff line number	Diff line change
`@@ -245,6 +245,9 @@ public function initialize(?string $uri = null)`
`245`	`245`	`return $this;`
`246`	`246`	`}`
`247`	`247`
	`248`	`+ // Decode URL-encoded string`
	`249`	`+ $uri = urldecode($uri);`
	`250`	`+`
`248`	`251`	`$this->processGlobals($uri);`
`249`	`252`	`$this->processMethods();`
`250`	`253`	`$this->processFilters($uri);`
`@@ -639,7 +642,7 @@ private function checkExcept(string $uri, $paths): bool`
`639`	`642`	`/**`
`640`	`643`	`* Check the URI path as pseudo-regex`
`641`	`644`	`*`
`642`		`- * @param string $uri URI path relative to baseURL (all lowercase)`
	`645`	`+ * @param string $uri URI path relative to baseURL (all lowercase, URL-decoded)`
`643`	`646`	`* @param array $paths The except path patterns`
`644`	`647`	`*/`
`645`	`648`	`private function checkPseudoRegex(string $uri, array $paths): bool`
`@@ -652,7 +655,7 @@ private function checkPseudoRegex(string $uri, array $paths): bool`
`652`	`655`	`$path = strtolower(str_replace('', '.', $path));`
`653`	`656`
`654`	`657`	`// Does this rule apply here?`
`655`		`- if (preg_match('#^' . $path . '$#', $uri, $match) === 1) {`
	`658`	`+ if (preg_match('#\A' . $path . '\z#u', $uri, $match) === 1) {`
`656`	`659`	`return true;`
`657`	`660`	`}`
`658`	`661`	`}`