File tree Expand file tree Collapse file tree 2 files changed +17
-0
lines changed Expand file tree Collapse file tree 2 files changed +17
-0
lines changed Original file line number Diff line number Diff line change @@ -171,6 +171,11 @@ public function testUriPreserveHost_Host_Host()
171
171
}
172
172
173
173
/**
174
+ * Tests that getRequestTarget(), when using the default behavior of
175
+ * displaying the origin-form, normalizes multiple leading slashes in the
176
+ * path to a single slash. This is done to prevent URL poisoning and/or XSS
177
+ * issues.
178
+ *
174
179
* @see UriIntegrationTest::testGetPathNormalizesMultipleLeadingSlashesToSingleSlashToPreventXSS
175
180
*/
176
181
public function testGetRequestTargetInOriginFormNormalizesUriWithMultipleLeadingSlashesInPath ()
Original file line number Diff line number Diff line change @@ -241,6 +241,14 @@ public function testPathWithMultipleSlashes()
241
241
$ this ->assertSame ($ expected , (string ) $ uri );
242
242
}
243
243
244
+ /**
245
+ * Tests that getPath() normalizes multiple leading slashes to a single
246
+ * slash. This is done to ensure that when a path is used in isolation from
247
+ * the authority, it will not cause URL poisoning and/or XSS issues.
248
+ *
249
+ * @see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3257
250
+ * @psalm-param array{expected: non-empty-string, uri: UriInterface} $test
251
+ */
244
252
public function testGetPathNormalizesMultipleLeadingSlashesToSingleSlashToPreventXSS ()
245
253
{
246
254
if (isset ($ this ->skippedTests [__FUNCTION__ ])) {
@@ -260,6 +268,10 @@ public function testGetPathNormalizesMultipleLeadingSlashesToSingleSlashToPreven
260
268
}
261
269
262
270
/**
271
+ * Tests that the full string representation of a URI that includes multiple
272
+ * leading slashes in the path is presented verbatim (in contrast to what is
273
+ * provided when calling getPath()).
274
+ *
263
275
* @depends testGetPathNormalizesMultipleLeadingSlashesToSingleSlashToPreventXSS
264
276
* @psalm-param array{expected: non-empty-string, uri: UriInterface} $test
265
277
*/
You can’t perform that action at this time.
0 commit comments