SignUrl: Fix verify URL with only _debug query

jakubboucek · jakubboucek · commit bde92b7ff210 · 2021-09-18T11:49:40.000+02:00
diff --git a/src/Plugin/SignedUrl.php b/src/Plugin/SignedUrl.php
@@ -174,7 +174,7 @@ public function verifyUrl(string $url, bool $allowRedirect = false): array
         // Note: Not parsed by parse_str() to prevent broke URL (repeated arguments like `?same_arg=1&same_arg=2`)
         $query = $parsedUrl['query'] ?? '';
         if (preg_match(
-                '/(?<token_key>[?&]' . self::URL_QUERY_TOKEN_KEY . '=)(?<token>[^&]+)(?:$|(?<remaining>&.*$))/D',
+                '/(?<token_key>(?:^|&|^&)' . self::URL_QUERY_TOKEN_KEY . '=)(?<token>[^&]+)(?:$|(?<remaining>&.*$))/D',
                 $query,
                 $matches,
                 PREG_OFFSET_CAPTURE
@@ -200,7 +200,9 @@ public function verifyUrl(string $url, bool $allowRedirect = false): array
         }
 
         $parsedUrl = $this->normalizeUrl($parsedUrl);
-        $signedUrl = $this->buildUrl(['query' => substr($query, 0, $tokenOffset)] + $parsedUrl);
+        $signedUrl = $this->buildUrl(
+            ['query' => $tokenOffset > 0 ? substr($query, 0, $tokenOffset) : null] + $parsedUrl
+        );
 
         if ($signedUrl !== $allowedUrl) {
             throw new SignedUrlVerificationException('URL doesn\'t match signed URL');
diff --git a/tests/Plugin/SignUrlTest.php b/tests/Plugin/SignUrlTest.php
@@ -91,6 +91,24 @@ public function testVerifyToken(): void
     }
 
     public function testVerifyUrl(): void
+    {
+        $audience = 'test.' . __FUNCTION__;
+        $timestamp = 1600000000;
+        $url = 'https://host.tld/path';
+
+        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin->setTimestamp($timestamp);
+        $tokenUrl = $plugin->signUrl($url, 1600000600);
+
+        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin->setTimestamp($timestamp);
+        JWT::$timestamp = $timestamp;
+        $parsed = $plugin->verifyUrl($tokenUrl);
+        $expected = [['get'], 0, 1, 1600000600];
+        Assert::equal($expected, $parsed);
+    }
+
+    public function testVerifyUrlQuery(): void
     {
         $audience = 'test.' . __FUNCTION__;
         $timestamp = 1600000000;
