diff --git a/system/Filters/InvalidChars.php b/system/Filters/InvalidChars.php index 1cd775153c0e..85e71c5d4f59 100644 --- a/system/Filters/InvalidChars.php +++ b/system/Filters/InvalidChars.php @@ -87,11 +87,18 @@ public function after(RequestInterface $request, ResponseInterface $response, $a * @param array|string $value * * @return array|string + * + * @throws SecurityException */ protected function checkEncoding($value) { if (is_array($value)) { - array_map($this->checkEncoding(...), $value); + foreach ($value as $key => $item) { + if (is_string($key)) { + $this->checkEncoding($key); + } + $this->checkEncoding($item); + } return $value; } @@ -113,7 +120,12 @@ protected function checkEncoding($value) protected function checkControl($value) { if (is_array($value)) { - array_map($this->checkControl(...), $value); + foreach ($value as $key => $item) { + if (is_string($key)) { + $this->checkControl($key); + } + $this->checkControl($item); + } return $value; } diff --git a/tests/system/Filters/InvalidCharsTest.php b/tests/system/Filters/InvalidCharsTest.php index 8aa935b14383..4cf112b6da91 100644 --- a/tests/system/Filters/InvalidCharsTest.php +++ b/tests/system/Filters/InvalidCharsTest.php @@ -103,13 +103,51 @@ public function testBeforeInvalidUTF8StringCausesException(): void $this->invalidChars->before($this->request); } - public function testBeforeInvalidControlCharCausesException(): void + public function testBeforeInvalidUTF8StringInArrayKeyCausesException(): void + { + $this->expectException(SecurityException::class); + $this->expectExceptionMessage('Invalid UTF-8 characters in post:'); + + $sjisString = mb_convert_encoding('SJISの文字列です。', 'SJIS'); + service('superglobals')->setPost('val', [ + $sjisString => 'valid string', + ]); + + $this->invalidChars->before($this->request); + } + + #[DataProvider('provideBeforeInvalidControlCharCausesException')] + public function testBeforeInvalidControlCharCausesException(string $invalidString): void + { + $this->expectException(SecurityException::class); + $this->expectExceptionMessage('Invalid Control characters in cookie:'); + + service('superglobals')->setCookie('val', $invalidString); + + $this->invalidChars->before($this->request); + } + + /** + * @return iterable> + */ + public static function provideBeforeInvalidControlCharCausesException(): iterable + { + yield 'null byte' => ["String with null char \0"]; + + yield 'backspace' => ["String with backspace \x08"]; + + yield 'escape' => ["String with escape \x1b"]; + } + + public function testBeforeInvalidControlCharInArrayKeyCausesException(): void { $this->expectException(SecurityException::class); $this->expectExceptionMessage('Invalid Control characters in cookie:'); $stringWithNullChar = "String contains null char and line break.\0\n"; - service('superglobals')->setCookie('val', $stringWithNullChar); + service('superglobals')->setCookie('val', [ + $stringWithNullChar => 'valid string', + ]); $this->invalidChars->before($this->request); } diff --git a/user_guide_src/source/changelogs/v4.7.4.rst b/user_guide_src/source/changelogs/v4.7.4.rst index f9cc995ad22a..b31f5507687d 100644 --- a/user_guide_src/source/changelogs/v4.7.4.rst +++ b/user_guide_src/source/changelogs/v4.7.4.rst @@ -32,6 +32,7 @@ Bugs Fixed - **API:** Fixed a bug in Transformers where the root request's ``fields`` and ``include`` query parameters leaked into nested transformers created inside ``include*()`` methods, causing incorrect field filtering, unexpected includes, or infinite recursion. - **Database:** Fixed a bug where ``updateBatch()`` could be called after Query Builder ``where()`` conditions, even though it's not supported. In this situation, now the ``DatabaseException`` is thrown. +- **Filters:** Fixed a bug in ``InvalidChars`` filter where invalid UTF-8 or control characters in array keys were not checked. - **HTTP:** Fixed a bug where the User Agent library reported Safari's WebKit version instead of the browser version from the ``Version`` token. - **Model:** Fixed a bug in ``Model::objectToRawArray()`` where the ``$recursive`` parameter was ignored.