From b8b69972e9d094bd10961af681c0ef75623cc815 Mon Sep 17 00:00:00 2001
From: Bastian Waidelich <bastian@neos.io>
Date: Thu, 12 Jun 2025 17:36:27 +0200
Subject: [PATCH] BUGFIX: Disallow singleton route part handlers

Using singleton route part handlers can have severe side effects because they are shared between all route instances.

This change leads to an exception being thrown if a singleton handler is configured

Related: https://github.com/neos/neos-development-collection/issues/5571
---
 Neos.Flow/Classes/Mvc/Routing/Route.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Neos.Flow/Classes/Mvc/Routing/Route.php b/Neos.Flow/Classes/Mvc/Routing/Route.php
index 2f60eedc2a..0ea68653e6 100644
--- a/Neos.Flow/Classes/Mvc/Routing/Route.php
+++ b/Neos.Flow/Classes/Mvc/Routing/Route.php
@@ -24,6 +24,7 @@
 use Neos\Flow\Mvc\Routing\Dto\RouteLifetime;
 use Neos\Flow\Mvc\Routing\Dto\RouteTags;
 use Neos\Flow\Mvc\Routing\Dto\UriConstraints;
+use Neos\Flow\ObjectManagement\Configuration\Configuration;
 use Neos\Flow\ObjectManagement\ObjectManagerInterface;
 use Neos\Flow\Persistence\PersistenceManagerInterface;
 use Neos\Utility\Arrays;
@@ -754,7 +755,11 @@ public function parse()
                         throw new InvalidUriPatternException('the URI pattern "' . $this->uriPattern . '" of route "' . $this->getName() . '" contains successive Dynamic Route Parts, which is not allowed.', 1218446975);
                     }
                     if (isset($this->routePartsConfiguration[$routePartName]['handler'])) {
-                        $routePart = $this->objectManager->get($this->routePartsConfiguration[$routePartName]['handler']);
+                        $routePartHandlerObjectName = $this->routePartsConfiguration[$routePartName]['handler'];
+                        if ($this->objectManager->getScope($routePartHandlerObjectName) === Configuration::SCOPE_SINGLETON) {
+                            throw new InvalidRoutePartHandlerException(sprintf('routePart handlers must be prototypes but "%s" is a singleton in route "%s"', $routePartHandlerObjectName, $this->getName()), 1749742364);
+                        }
+                        $routePart = $this->objectManager->get($routePartHandlerObjectName);
                         if (!$routePart instanceof DynamicRoutePartInterface) {
                             throw new InvalidRoutePartHandlerException(sprintf('routePart handlers must implement "%s" in route "%s"', DynamicRoutePartInterface::class, $this->getName()), 1218480972);
                         }