[Security] fixed path info encoding (closes #6040, closes #5695)

2 files changed, 6 insertions, 1 deletions

diff --git a/Http/HttpUtils.php b/Http/HttpUtils.php
index 1c87e77..76cfc6a 100644
--- a/Http/HttpUtils.php
+++ b/Http/HttpUtils.php
@@ -106,7 +106,7 @@ class HttpUtils
             }
         }
 
-        return $path === $request->getPathInfo();
+        return $path === rawurldecode($request->getPathInfo());
     }
 
     /**
diff --git a/Tests/Http/HttpUtilsTest.php b/Tests/Http/HttpUtilsTest.php
index a30051f..fc1b754 100644
--- a/Tests/Http/HttpUtilsTest.php
+++ b/Tests/Http/HttpUtilsTest.php
@@ -97,6 +97,11 @@ class HttpUtilsTest extends \PHPUnit_Framework_TestCase
 
         $this->assertTrue($utils->checkRequestPath($this->getRequest(), '/'));
         $this->assertFalse($utils->checkRequestPath($this->getRequest(), '/foo'));
+        $this->assertTrue($utils->checkRequestPath($this->getRequest('/foo%20bar'), '/foo bar'));
+        // Plus must not decoded to space
+        $this->assertTrue($utils->checkRequestPath($this->getRequest('/foo+bar'), '/foo+bar'));
+        // Checking unicode
+        $this->assertTrue($utils->checkRequestPath($this->getRequest(urlencode('/вход')), '/вход'));
 
         $urlMatcher = $this->getMock('Symfony\Component\Routing\Matcher\UrlMatcherInterface');
         $urlMatcher