diff options
| author | Arnold Daniels <arnold@jasny.net> | 2016-11-29 23:56:03 +0100 |
|---|---|---|
| committer | Arnold Daniels <arnold@jasny.net> | 2016-11-29 23:56:03 +0100 |
| commit | 312fab48f1de4562851a4176285d6a1aca251df2 (patch) | |
| tree | 54a72aa1dceef7f8153fcee59fdddcbf317569b1 | |
| parent | b895c4a0cc966bd397168c5f5dd61a1fb000423e (diff) | |
| download | router-312fab48f1de4562851a4176285d6a1aca251df2.zip router-312fab48f1de4562851a4176285d6a1aca251df2.tar.gz router-312fab48f1de4562851a4176285d6a1aca251df2.tar.bz2 | |
Enforce that the namespace of a controller is done through an arrayorigin/strict-controller-class
Allowing to use a backslash could also lead to security issues
| -rw-r--r-- | src/Router/Runner/Controller.php | 2 | ||||
| -rw-r--r-- | tests/Router/Runner/ControllerTest.php | 5 |
2 files changed, 6 insertions, 1 deletions
diff --git a/src/Router/Runner/Controller.php b/src/Router/Runner/Controller.php index f230cb9..eb26ecd 100644 --- a/src/Router/Runner/Controller.php +++ b/src/Router/Runner/Controller.php @@ -75,7 +75,7 @@ class Controller extends Runner { return preg_replace_callback('/(?:^|(\w)-)(\w)/', function($match) { return $match[1] . strtoupper($match[2]); - }, strtolower($string)); + }, strtolower(addcslashes($string, '\\'))); } /** diff --git a/tests/Router/Runner/ControllerTest.php b/tests/Router/Runner/ControllerTest.php index 365ed65..5045c4d 100644 --- a/tests/Router/Runner/ControllerTest.php +++ b/tests/Router/Runner/ControllerTest.php @@ -78,6 +78,11 @@ class ControllerTest extends \PHPUnit_Framework_TestCase 'foo--bar-zoo', "Can't route to controller 'Foo--barZooController': invalid classname" ], + [ + null, + 'Foo\Bar\zoo', + "Can't route to controller 'Foo\\\\bar\\\\zooController': invalid classname" + ] ]; } |