laminas / laminas-router

Flexible routing system for HTTP and console applications
https://docs.laminas.dev/laminas-router/
BSD 3-Clause "New" or "Revised" License
34 stars 16 forks source link

Slashes in route params are unescaped when passing uri option #1

Open weierophinney opened 4 years ago

weierophinney commented 4 years ago

I expect a parameter passed to a segment route to always be escaped. When I pass an uri option when assembling a route, for whatever reason slashes in the route parameters are unescaped. This causes the route to no longer match correctly.

$router = \Zend\Router\Http\TreeRouteStack::factory([
    'routes' => [
        'example-route' => [
            'type' => \Zend\Router\Http\Segment::class,
            'options' => [
                'route' => '/example/route/with/:token',
            ],
        ],
    ],
]);

var_dump($router->assemble([
    'token' => 'token/with/slashes',
], [
    'name' => 'example-route',
]));
// string(42) "/example/route/with/token%2Fwith%2Fslashes"

var_dump($router->assemble([
    'token' => 'token/with/slashes',
], [
    'name' => 'example-route',
    'uri' => new \Zend\Uri\Uri('/'),
]));
// string(38) "/example/route/with/token/with/slashes"

I expect the token parameter in the second case to also become encoded. For some reason passing an uri without normalize_path: false normalizes the path, unescaping the passed parameters.

Undesired normalization happens by default in these places:

https://github.com/zendframework/zend-router/blob/5ce5ff9630c4467e3eaf7cf06d78dbb2296a41b4/src/Http/TreeRouteStack.php#L420-L422

https://github.com/zendframework/zend-router/blob/5ce5ff9630c4467e3eaf7cf06d78dbb2296a41b4/src/Http/TreeRouteStack.php#L428-L430


Originally posted by @villermen at https://github.com/zendframework/zend-router/issues/56

demiankatz commented 4 years ago

Just a quick note to say that I fell foul of the same problem, though I was able to work around it by adding the normalize_path: false option too.