Merge branch 'hotfix/372-invalid-utf8-in-uri' into develop

weierophinney · weierophinney · commit 49a2b9612114 · 2019-10-10T12:39:28.000-05:00
Forward port #372 Conflicts: CHANGELOG.md
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,7 +24,7 @@ All notable changes to this project will be documented in this file, in reverse
 
 - Nothing.
 
-## 2.1.5 - TBD
+## 2.1.5 - 2019-10-10
 
 ### Added
 
@@ -44,7 +44,7 @@ All notable changes to this project will be documented in this file, in reverse
 
 ### Fixed
 
-- Nothing.
+- [#372](https://github.com/zendframework/zend-diactoros/pull/372) fixes issues that occur in the `Zend\Diactoros\Uri` class when invalid UTF-8 characters are present the user-info, path, or query string, ensuring they are URL-encoded before being consumed. Previously, such characters could result in a fatal error, which was particularly problematic when marshaling the request URI for an application request cycle.
 
 ## 2.1.4 - 2019-10-08
 
diff --git a/src/Uri.php b/src/Uri.php
@@ -11,9 +11,7 @@
 
 use Psr\Http\Message\UriInterface;
 
-use function array_key_exists;
 use function array_keys;
-use function count;
 use function explode;
 use function get_class;
 use function gettype;
@@ -23,10 +21,12 @@
 use function is_string;
 use function ltrim;
 use function parse_url;
+use function preg_match;
 use function preg_replace;
 use function preg_replace_callback;
 use function rawurlencode;
 use function sprintf;
+use function str_split;
 use function strpos;
 use function strtolower;
 use function substr;
@@ -560,6 +560,8 @@ private function filterScheme(string $scheme) : string
      */
     private function filterUserInfoPart(string $part) : string
     {
+        $part = $this->filterInvalidUtf8($part);
+
         // Note the addition of `%` to initial charset; this allows `|` portion
         // to match and thus prevent double-encoding.
         return preg_replace_callback(
@@ -574,6 +576,8 @@ private function filterUserInfoPart(string $part) : string
      */
     private function filterPath(string $path) : string
     {
+        $path = $this->filterInvalidUtf8($path);
+
         $path = preg_replace_callback(
             '/(?:[^' . self::CHAR_UNRESERVED . ')(:@&=\+\$,\/;%]+|%(?![A-Fa-f0-9]{2}))/u',
             [$this, 'urlEncodeChar'],
@@ -594,6 +598,26 @@ private function filterPath(string $path) : string
         return '/' . ltrim($path, '/');
     }
 
+    /**
+     * Encode invalid UTF-8 characters in given string. All other characters are unchanged.
+     */
+    private function filterInvalidUtf8(string $string) : string
+    {
+        // check if given string contains only valid UTF-8 characters
+        if (preg_match('//u', $string)) {
+            return $string;
+        }
+
+        $letters = str_split($string);
+        foreach ($letters as $i => $letter) {
+            if (! preg_match('//u', $letter)) {
+                $letters[$i] = $this->urlEncodeChar([$letter]);
+            }
+        }
+
+        return implode('', $letters);
+    }
+
     /**
      * Filter a query string to ensure it is propertly encoded.
      *
@@ -654,6 +678,8 @@ private function filterFragment(string $fragment) : string
      */
     private function filterQueryOrFragment(string $value) : string
     {
+        $value = $this->filterInvalidUtf8($value);
+
         return preg_replace_callback(
             '/(?:[^' . self::CHAR_UNRESERVED . self::CHAR_SUB_DELIMS . '%:@\/\?]+|%(?![A-Fa-f0-9]{2}))/u',
             [$this, 'urlEncodeChar'],
diff --git a/test/UriTest.php b/test/UriTest.php
@@ -101,6 +101,7 @@ public function userInfoProvider()
             'at'          => ['user@example.com', 'cred@foo', 'user%40example.com:cred%40foo'],
             'percent'     => ['%25',              '%25',      '%25:%25'],
             'invalid-enc' => ['%ZZ',              '%GG',      '%25ZZ:%25GG'],
+            'invalid-utf' => ["\x21\x92",         '!?',       '!%92:!%3F'],
         ];
         // @codingStandardsIgnoreEnd
     }
@@ -616,7 +617,9 @@ public function utf8PathsDataProvider()
     {
         return [
             ['http://example.com/тестовый_путь/', '/тестовый_путь/'],
-            ['http://example.com/ουτοπία/', '/ουτοπία/']
+            ['http://example.com/ουτοπία/', '/ουτοπία/'],
+            ["http://example.com/\x21\x92", '/%21%92'],
+            ['http://example.com/!?', '/%21'],
         ];
     }
 
@@ -635,6 +638,7 @@ public function utf8QueryStringsDataProvider()
         return [
             ['http://example.com/?q=тестовый_путь', 'q=тестовый_путь'],
             ['http://example.com/?q=ουτοπία', 'q=ουτοπία'],
+            ["http://example.com/?q=\x21\x92", 'q=!%92'],
         ];
     }
 

Original file line number	Diff line number	Diff line change
`@@ -101,6 +101,7 @@ public function userInfoProvider()`
`101`	`101`	`'at' => ['[email protected]', 'cred@foo', 'user%40example.com:cred%40foo'],`
`102`	`102`	`'percent' => ['%25', '%25', '%25:%25'],`
`103`	`103`	`'invalid-enc' => ['%ZZ', '%GG', '%25ZZ:%25GG'],`
	`104`	`+ 'invalid-utf' => ["\x21\x92", '!?', '!%92:!%3F'],`
`104`	`105`	`];`
`105`	`106`	`// @codingStandardsIgnoreEnd`
`106`	`107`	`}`
`@@ -616,7 +617,9 @@ public function utf8PathsDataProvider()`
`616`	`617`	`{`
`617`	`618`	`return [`
`618`	`619`	`['http://example.com/тестовый_путь/', '/тестовый_путь/'],`
`619`		`- ['http://example.com/ουτοπία/', '/ουτοπία/']`
	`620`	`+ ['http://example.com/ουτοπία/', '/ουτοπία/'],`
	`621`	`+ ["http://example.com/\x21\x92", '/%21%92'],`
	`622`	`+ ['http://example.com/!?', '/%21'],`
`620`	`623`	`];`
`621`	`624`	`}`
`622`	`625`
`@@ -635,6 +638,7 @@ public function utf8QueryStringsDataProvider()`
`635`	`638`	`return [`
`636`	`639`	`['http://example.com/?q=тестовый_путь', 'q=тестовый_путь'],`
`637`	`640`	`['http://example.com/?q=ουτοπία', 'q=ουτοπία'],`
	`641`	`+ ["http://example.com/?q=\x21\x92", 'q=!%92'],`
`638`	`642`	`];`
`639`	`643`	`}`
`640`	`644`