From e80af78e097f319272f0896dcf15d1ee44dce2dc Mon Sep 17 00:00:00 2001 From: Alejandro Celaya Date: Tue, 17 Dec 2024 18:00:02 +0100 Subject: [PATCH] Be less restrictive on what characters are disallowed in custom slugs --- CHANGELOG.md | 4 ++++ .../src/ShortUrl/Model/Validation/CustomSlugValidator.php | 6 +++--- .../ShortUrl/Model/Validation/CustomSlugValidatorTest.php | 6 ++---- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb43ec7e..241b734e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com), and this This option effectively replaces the old `REDIRECT_APPEND_EXTRA_PATH` option, which is now deprecated and will be removed in Shlink 5.0.0 +* [#2156](https://github.com/shlinkio/shlink/issues/2156) Be less restrictive on what characters are disallowed in custom slugs. + + All [URI-reserved characters](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) were disallowed up until now, but from now on, only the gen-delimiters are. + ### Changed * [#2281](https://github.com/shlinkio/shlink/issues/2281) Update docker image to PHP 8.4 * [#2124](https://github.com/shlinkio/shlink/issues/2124) Improve how Shlink decides if a GeoLite db file needs to be downloaded, and reduces the chances for API limits to be reached. diff --git a/module/Core/src/ShortUrl/Model/Validation/CustomSlugValidator.php b/module/Core/src/ShortUrl/Model/Validation/CustomSlugValidator.php index f3341698..3d3e7792 100644 --- a/module/Core/src/ShortUrl/Model/Validation/CustomSlugValidator.php +++ b/module/Core/src/ShortUrl/Model/Validation/CustomSlugValidator.php @@ -46,10 +46,10 @@ class CustomSlugValidator extends AbstractValidator return false; } - // URL reserved characters: https://datatracker.ietf.org/doc/html/rfc3986#section-2.2 - $reservedChars = "!*'();:@&=+$,?%#[]"; + // URL gen-delimiter reserved characters, except `/`: https://datatracker.ietf.org/doc/html/rfc3986#section-2.2 + $reservedChars = ':?#[]@'; if (! $this->options->multiSegmentSlugsEnabled) { - // Slashes should be allowed for multi-segment slugs + // Slashes should only be allowed if multi-segment slugs are enabled $reservedChars .= '/'; } diff --git a/module/Core/test/ShortUrl/Model/Validation/CustomSlugValidatorTest.php b/module/Core/test/ShortUrl/Model/Validation/CustomSlugValidatorTest.php index 86f695c7..f763b44e 100644 --- a/module/Core/test/ShortUrl/Model/Validation/CustomSlugValidatorTest.php +++ b/module/Core/test/ShortUrl/Model/Validation/CustomSlugValidatorTest.php @@ -59,13 +59,11 @@ class CustomSlugValidatorTest extends TestCase public static function provideInvalidValues(): iterable { + yield ['port:8080']; yield ['foo?bar=baz']; yield ['some-thing#foo']; - yield ['call()']; - yield ['array[]']; + yield ['brackets[]']; yield ['email@example.com']; - yield ['wildcard*']; - yield ['$500']; } public function createValidator(bool $multiSegmentSlugsEnabled = false): CustomSlugValidator