From 42528ddf838476b71bd8af96de63f61c0999a587 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Wed, 25 Jul 2018 12:07:10 +0200 Subject: [PATCH] URL decoding of parameters must be done after the parsing Otherwise percent-encoded / are recognized as an URL separator which does not respect the section 2.4 of the RFC3986 [0]. This is an issue if you have an string URL parameter with a / character since the URL is decoded before the finding the route corresponding the request you will either not find the route or find a route that does not match with the request. The URL must be decoded only when setting the parameters. [0] https://tools.ietf.org/html/rfc3986#section-2.4 --- vendor/Luracast/Restler/Restler.php | 2 +- vendor/Luracast/Restler/Routes.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vendor/Luracast/Restler/Restler.php b/vendor/Luracast/Restler/Restler.php index c2e9b1acb..9aab1ef22 100644 --- a/vendor/Luracast/Restler/Restler.php +++ b/vendor/Luracast/Restler/Restler.php @@ -499,7 +499,7 @@ protected function getPath() = '/' . substr($_SERVER['SCRIPT_FILENAME'], strlen($_SERVER['DOCUMENT_ROOT']) + 1); list($base, $path) = Util::splitCommonPath( - strtok(urldecode($_SERVER['REQUEST_URI']), '?'), //remove query string + strtok($_SERVER['REQUEST_URI'], '?'), //remove query string $_SERVER['SCRIPT_NAME'] ); diff --git a/vendor/Luracast/Restler/Routes.php b/vendor/Luracast/Restler/Routes.php index 73e78dc00..9fe3303cb 100644 --- a/vendor/Luracast/Restler/Routes.php +++ b/vendor/Luracast/Restler/Routes.php @@ -430,7 +430,7 @@ public static function find($path, $httpMethod, $details = $value[$httpMethod]['metadata']['param'][$index]; if ($k{0} == 's' || strpos($k, static::pathVarTypeOf($v)) === 0) { //remove the newlines - $data[$details['name']] = trim($v, PHP_EOL); + $data[$details['name']] = trim(urldecode($v), PHP_EOL); } else { $status = 400; $message = 'invalid value specified for `'