File tree Expand file tree Collapse file tree 1 file changed +12
-0
lines changed Expand file tree Collapse file tree 1 file changed +12
-0
lines changed Original file line number Diff line number Diff line change @@ -119,6 +119,18 @@ echo (string) Uri::new('http://example.com/path/to?#');
119119
120120<p class =" message-info " >This improved compliance is available since version <code >7.5.0</code ></p >
121121
122+ Because ` PSR-7 ` UriInterface implementing object ` getPath ` may be used in
123+ header. A security issue may rise if the path is not stripped of multiple starting ` / ` .
124+ As such, ` getPath ` yield a different result depending on its raw value:
125+
126+ ~~~ php
127+ echo Http::new('https://example.com//miscillaneous.tld')->getPath();
128+ // returns '/miscillaneous.tld' the extra leading slashes are removed
129+
130+ echo Uri::new('https://example.com//miscillaneous.tld')->getPath();
131+ // returns '//miscillaneous.tld' the leading slashes are preserved
132+ ~~~
133+
122134## PSR-17 compatibility
123135
124136The package also provides an implementation of the ` UriFactoryInterface ` from [ PSR-17] ( https://www.php-fig.org/psr/psr-17/ )
You can’t perform that action at this time.
0 commit comments