Skip to content
This repository was archived by the owner on Jan 29, 2020. It is now read-only.

Commit 68fc742

Browse files
weierophinneyweierophinney
committed
Patch potential XSS vulnerability
Ensures that a URI of the form: http://example.com//zend.com resolves properly to: http://example.com/zend.com and NOT to: //zend.com (The latter of which could present an XSS vector.)
1 parent 11d695b commit 68fc742

File tree

2 files changed

+21
-1
lines changed

2 files changed

+21
-1
lines changed

src/Uri.php

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -511,11 +511,24 @@ private function filterScheme($scheme)
511511
*/
512512
private function filterPath($path)
513513
{
514-
return preg_replace_callback(
514+
$path = preg_replace_callback(
515515
'/(?:[^' . self::CHAR_UNRESERVED . ':@&=\+\$,\/;%]+|%(?![A-Fa-f0-9]{2}))/',
516516
[$this, 'urlEncodeChar'],
517517
$path
518518
);
519+
520+
if (empty($path)) {
521+
// No path
522+
return $path;
523+
}
524+
525+
if ($path[0] !== '/') {
526+
// Relative path
527+
return $path;
528+
}
529+
530+
// Ensure only one leading slash, to prevent XSS attempts.
531+
return '/' . ltrim($path, '/');
519532
}
520533

521534
/**

test/UriTest.php

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -448,4 +448,11 @@ public function testFragmentIsNotDoubleEncoded()
448448
$uri = (new Uri())->withFragment($expected);
449449
$this->assertEquals($expected, $uri->getFragment());
450450
}
451+
452+
public function testProperlyTrimsLeadingSlashesToPreventXSS()
453+
{
454+
$url = 'http://example.org//zend.com';
455+
$uri = new Uri($url);
456+
$this->assertEquals('http://example.org/zend.com', (string) $uri);
457+
}
451458
}

0 commit comments

Comments
 (0)