Skip to content

Commit 98fff9c

Browse files
committed
docs: Documents the purpose behind the newly added tests
- Documents the CVE that led to the new tests. - Documents the differences in behavior between using UriInterface::getPath(), UriInterface::__toString(), and RequestInterface::getRequestTarget().
1 parent 9622b8b commit 98fff9c

File tree

2 files changed

+17
-0
lines changed

2 files changed

+17
-0
lines changed

src/RequestIntegrationTest.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -171,6 +171,11 @@ public function testUriPreserveHost_Host_Host()
171171
}
172172

173173
/**
174+
* Tests that getRequestTarget(), when using the default behavior of
175+
* displaying the origin-form, normalizes multiple leading slashes in the
176+
* path to a single slash. This is done to prevent URL poisoning and/or XSS
177+
* issues.
178+
*
174179
* @see UriIntegrationTest::testGetPathNormalizesMultipleLeadingSlashesToSingleSlashToPreventXSS
175180
*/
176181
public function testGetRequestTargetInOriginFormNormalizesUriWithMultipleLeadingSlashesInPath()

src/UriIntegrationTest.php

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -241,6 +241,14 @@ public function testPathWithMultipleSlashes()
241241
$this->assertSame($expected, (string) $uri);
242242
}
243243

244+
/**
245+
* Tests that getPath() normalizes multiple leading slashes to a single
246+
* slash. This is done to ensure that when a path is used in isolation from
247+
* the authority, it will not cause URL poisoning and/or XSS issues.
248+
*
249+
* @see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3257
250+
* @psalm-param array{expected: non-empty-string, uri: UriInterface} $test
251+
*/
244252
public function testGetPathNormalizesMultipleLeadingSlashesToSingleSlashToPreventXSS()
245253
{
246254
if (isset($this->skippedTests[__FUNCTION__])) {
@@ -260,6 +268,10 @@ public function testGetPathNormalizesMultipleLeadingSlashesToSingleSlashToPreven
260268
}
261269

262270
/**
271+
* Tests that the full string representation of a URI that includes multiple
272+
* leading slashes in the path is presented verbatim (in contrast to what is
273+
* provided when calling getPath()).
274+
*
263275
* @depends testGetPathNormalizesMultipleLeadingSlashesToSingleSlashToPreventXSS
264276
* @psalm-param array{expected: non-empty-string, uri: UriInterface} $test
265277
*/

0 commit comments

Comments
 (0)