Fix for invalid Jackrabbit characters in URLs (#436)

UFTimmy · dbu · commit c6c5c8b6d138 · 2019-02-12T08:50:18.000+01:00
* Remove routes with invalid PHPCR characters

* Disallow URLs with spaces adjacent to slashes
diff --git a/src/Doctrine/Phpcr/PrefixCandidates.php b/src/Doctrine/Phpcr/PrefixCandidates.php
@@ -118,7 +118,7 @@ public function getCandidates(Request $request)
 
         // filter out things like double // or trailing / - this would trigger an exception on the document manager.
         foreach ($candidates as $key => $candidate) {
-            if (!PathHelper::assertValidAbsolutePath($candidate, false, false)) {
+            if (!$this->isCandidateValid($candidate)) {
                 unset($candidates[$key]);
             }
         }
@@ -166,6 +166,30 @@ public function setManagerName($manager)
         $this->managerName = $manager;
     }
 
+    /**
+     * @param string $candidate The candidate path to check
+     *
+     * @return bool
+     */
+    protected function isCandidateValid($candidate)
+    {
+        // Candidates cannot start or end with a space in Jackrabbit.
+        if (' ' === \substr($candidate, 0, 1) || ' ' === \substr($candidate, -1)) {
+            return false;
+        }
+
+        // Jackrabbit does not allow spaces before or after the path separator.
+        if (false !== \strpos($candidate, ' /') || false !== \strpos($candidate, '/ ')) {
+            return false;
+        }
+
+        if (!PathHelper::assertValidAbsolutePath($candidate, false, false)) {
+            return false;
+        }
+
+        return true;
+    }
+
     /**
      * {@inheritdoc}
      *
diff --git a/src/Doctrine/Phpcr/RouteProvider.php b/src/Doctrine/Phpcr/RouteProvider.php
@@ -64,8 +64,11 @@ public function __construct(
      */
     public function getCandidates(Request $request)
     {
-        if (false !== strpos($request->getPathInfo(), ':')) {
-            return [];
+        $invalidCharacters = [':', '[', ']'];
+        foreach ($invalidCharacters as $invalidCharacter) {
+            if (false !== strpos($request->getPathInfo(), $invalidCharacter)) {
+                return [];
+            }
         }
 
         return $this->candidatesStrategy->getCandidates($request);

Original file line number	Diff line number	Diff line change
`@@ -64,8 +64,11 @@ public function __construct(`
`64`	`64`	`*/`
`65`	`65`	`public function getCandidates(Request $request)`
`66`	`66`	`{`
`67`		`- if (false !== strpos($request->getPathInfo(), ':')) {`
`68`		`- return [];`
	`67`	`+ $invalidCharacters = [':', '[', ']'];`
	`68`	`+ foreach ($invalidCharacters as $invalidCharacter) {`
	`69`	`+ if (false !== strpos($request->getPathInfo(), $invalidCharacter)) {`
	`70`	`+ return [];`
	`71`	`+ }`
`69`	`72`	`}`
`70`	`73`
`71`	`74`	`return $this->candidatesStrategy->getCandidates($request);`