Update PSR-7 integration tests #128
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Updates to 1.2.0, which adds the tests we wrote for mitigating ZF2015-05, with a few changes: - When creating the string representation of the URL, we DO NOT normalize the path to remove multiple leading slashes. In its absolute form, this is not necessary. - All normalization is done via `getPath()`; this mitigates the common XSS scenario. - It adds a test to validate that when using origin-form during a `RequestInterface::getRequestTarget()` call, it will use the results of `getPath()`, as this is a scenario where the XSS could also occur. I have removed one test from `UriTest`, as it contradicts the first point above. Since the scenario is covered in the PSR-7 integration tests, we are covered. See php-http/psr7-integration-tests#54 for more details. Signed-off-by: Matthew Weier O'Phinney <matthew@weierophinney.net>
Since I was able to return earlier in `filterPath()`, I was able to remove a number of dead conditionals. Signed-off-by: Matthew Weier O'Phinney <matthew@weierophinney.net>
Flagged by Psalm. Signed-off-by: Matthew Weier O'Phinney <matthew@weierophinney.net>
l0gicgate
approved these changes
Dec 14, 2022
Ocramius
approved these changes
Dec 14, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Updates to 1.2.0 of the PSR-7 integration test suite, which adds the tests we wrote for mitigating ZF2015-05, and requires a few changes:
getPath(); this mitigates the common XSS scenario.RequestInterface::getRequestTarget()call, it will use the results ofgetPath(), as this is a scenario where the XSS could also occur.I have removed one test from
UriTest, as it contradicts the first point above. Since the scenario is covered in the PSR-7 integration tests, we are covered.See php-http/psr7-integration-tests#54 for more details.