Allow URL-encoded special characters in basic auth part of URLs

cweiske · fabpot · commit adab2122723e · 2020-04-04T09:24:28.000+02:00
Resolves: symfony/symfony#36285
diff --git a/Constraints/UrlValidator.php b/Constraints/UrlValidator.php
@@ -23,7 +23,7 @@ class UrlValidator extends ConstraintValidator
 {
     const PATTERN = '~^
             (%s)://                                 # protocol
-            (([\_\.\pL\pN-]+:)?([\_\.\pL\pN-]+)@)?  # basic auth
+            (((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+:)?((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+)@)?  # basic auth
             (
                 ([\pL\pN\pS\-\_\.])+(\.?([\pL\pN]|xn\-\-[\pL\pN-]+)+\.?) # a domain name
                     |                                                 # or
diff --git a/Tests/Constraints/UrlValidatorTest.php b/Tests/Constraints/UrlValidatorTest.php
@@ -122,6 +122,8 @@ public function getValidUrls()
             ['http://user.name:pass.word@symfony.com'],
             ['http://user-name@symfony.com'],
             ['http://user_name@symfony.com'],
+            ['http://u%24er:password@symfony.com'],
+            ['http://user:pa%24%24word@symfony.com'],
             ['http://symfony.com?'],
             ['http://symfony.com?query=1'],
             ['http://symfony.com/?query=1'],
@@ -168,6 +170,8 @@ public function getInvalidUrls()
             ['http://:password@@symfony.com'],
             ['http://username:passwordsymfony.com'],
             ['http://usern@me:password@symfony.com'],
+            ['http://nota%hex:password@symfony.com'],
+            ['http://username:nota%hex@symfony.com'],
             ['http://example.com/exploit.html?<script>alert(1);</script>'],
             ['http://example.com/exploit.html?hel lo'],
             ['http://example.com/exploit.html?not_a%hex'],

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ class UrlValidator extends ConstraintValidator`
`23`	`23`	`{`
`24`	`24`	`const PATTERN = '~^`
`25`	`25`	`(%s):// # protocol`
`26`		`- (([\_\.\pL\pN-]+:)?([\_\.\pL\pN-]+)@)? # basic auth`
	`26`	`+ (((?:[\_\.\pL\pN-]\|%%[0-9A-Fa-f]{2})+:)?((?:[\_\.\pL\pN-]\|%%[0-9A-Fa-f]{2})+)@)? # basic auth`
`27`	`27`	`(`
`28`	`28`	`([\pL\pN\pS\-\_\.])+(\.?([\pL\pN]\|xn\-\-[\pL\pN-]+)+\.?) # a domain name`
`29`	`29`	`\| # or`
-Original file line number
+Diff line change
             ['http://user.name:[email protected]'],
             ['http://[email protected]'],
             ['http://[email protected]'],
 +            ['http://u%24er:[email protected]'],
 +            ['http://user:pa%24%[email protected]'],
             ['http://symfony.com?'],
             ['http://symfony.com?query=1'],
             ['http://symfony.com/?query=1'],
             ['http://:password@@symfony.com'],
             ['http://username:passwordsymfony.com'],
             ['http://usern@me:[email protected]'],
 +            ['http://nota%hex:[email protected]'],
 +            ['http://username:nota%[email protected]'],
             ['http://example.com/exploit.html?<script>alert(1);</script>'],
             ['http://example.com/exploit.html?hel lo'],
             ['http://example.com/exploit.html?not_a%hex'],