bug #58776 [DependencyInjection][HttpClient][Routing] Reject URIs that contain invalid characters (nicolas-grekas)

This PR was merged into the 7.2 branch.

Discussion
----------

[DependencyInjection][HttpClient][Routing] Reject URIs that contain invalid characters

| Q             | A
| ------------- | ---
| Branch?       | 7.2
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| Issues        | -
| License       | MIT

The behavior of `parse_url()` doesn't match how browsers parse URLs. This PR ensures we won't accept URLs that are invalid per https://url.spec.whatwg.org/:
- URLs that contain a backslash
- or start/end with a control-char or a space
- or contain a CR/LF/TAB character

Commits
-------

d73003e3b58 [DependencyInjection][Routing][HttpClient] Reject URIs that contain invalid characters

Author: nicolas-grekas

HttpClientTrait.php

@@ -625,6 +625,16 @@ private static function resolveUrl(array $url, ?array $base, array $queryDefault
      */
     private static function parseUrl(string $url, array $query = [], array $allowedSchemes = ['http' => 80, 'https' => 443]): array
     {
+        if (false !== ($i = strpos($url, '\\')) && $i < strcspn($url, '?#')) {
+            throw new InvalidArgumentException(\sprintf('Malformed URL "%s": backslashes are not allowed.', $url));
+        }
+        if (\strlen($url) !== strcspn($url, "\r\n\t")) {
+            throw new InvalidArgumentException(\sprintf('Malformed URL "%s": CR/LF/TAB characters are not allowed.', $url));
+        }
+        if ('' !== $url && (\ord($url[0]) <= 32 || \ord($url[-1]) <= 32)) {
+            throw new InvalidArgumentException(\sprintf('Malformed URL "%s": leading/trailing ASCII control characters or spaces are not allowed.', $url));
+        }
+
         if (false === $parts = parse_url($url)) {
             if ('/' !== ($url[0] ?? '') || false === $parts = parse_url($url.'#')) {
                 throw new InvalidArgumentException(\sprintf('Malformed URL "%s".', $url));

Tests/HttpClientTraitTest.php

@@ -239,13 +239,32 @@ public function testResolveUrlWithoutScheme()
         self::resolveUrl(self::parseUrl('localhost:8080'), null);
     }
 
-    public function testResolveBaseUrlWitoutScheme()
+    public function testResolveBaseUrlWithoutScheme()
     {
         $this->expectException(InvalidArgumentException::class);
         $this->expectExceptionMessage('Invalid URL: scheme is missing in "//localhost:8081". Did you forget to add "http(s)://"?');
         self::resolveUrl(self::parseUrl('/foo'), self::parseUrl('localhost:8081'));
     }
 
+    /**
+     * @testWith ["http://foo.com\\bar"]
+     *           ["\\\\foo.com/bar"]
+     *           ["a\rb"]
+     *           ["a\nb"]
+     *           ["a\tb"]
+     *           ["\u0000foo"]
+     *           ["foo\u0000"]
+     *           [" foo"]
+     *           ["foo "]
+     *           [":"]
+     */
+    public function testParseMalformedUrl(string $url)
+    {
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('Malformed URL');
+        self::parseUrl($url);
+    }
+
     /**
      * @dataProvider provideParseUrl
      */