The Request
class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request
class to redirect users to another domain.
The Request::create
methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/
The patch for this issue is available here for branch 5.4.
We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.
{ "nvd_published_at": "2024-11-06T21:15:06Z", "cwe_ids": [ "CWE-601" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2024-11-06T15:22:09Z" }