ghost
commented
10 years ago note that in symfony cookbook it suggest that you use .+ over *
http://symfony.com/doc/current/cookbook/routing/slash_in_parameter.html
Open ghost opened 10 years ago
ghost
commented
10 years ago note that in symfony cookbook it suggest that you use .+ over *
http://symfony.com/doc/current/cookbook/routing/slash_in_parameter.html
vworldat
commented
10 years ago I will have a look at the directory traversal thing.
Regarding .+ vs .*: I have to re-check, there is a project where I needed the option to have an empty name for some reason. I think it depends on the use case.
ghost
commented
10 years ago i don't think we can really suggest that users ever use either of those. We need something better.
vworldat
commented
10 years ago We could easily provide a ready-to-use routing.yml pointing to the base controller. In combination with the controller configuration you provided this makes an easy to use package:
That's it. Anyone doing their own routing can just copy the sample file.
I don't think there is an easier way that is more transparent. We'd probably have to supply our own Router implementation to make this work without configuring .+. I understand that this is not optimal, but on the other hand I don't think of it as a big issue for users.
c33s
commented
10 years ago for now we should use .+ (i really dislike opening security holes or attack possibilities), and find a solution for an empty name later.
is there any way when simply accepting everything for a route path that it could lead to a directory transversal out of tree? or do the underlying symfony methods already protect against it?