Merge branch '7.2' into 7.3

xabbuh · xabbuh · commit cf21254e982b · 2025-03-31T10:49:55.000+02:00
* 7.2:
  fix tests with Doctrine ORM 3.4+ on PHP &lt; 8.4
  reject URLs with URL-encoded non UTF-8 characters in the host part
  Bump Symfony version to 7.2.6
  Update VERSION for 7.2.5
  Update CHANGELOG for 7.2.5
  Bump Symfony version to 6.4.21
  Update VERSION for 6.4.20
  Update CONTRIBUTORS for 6.4.20
  Update CHANGELOG for 6.4.20
diff --git a/Tests/TextSanitizer/UrlSanitizerTest.php b/Tests/TextSanitizer/UrlSanitizerTest.php
@@ -568,8 +568,8 @@ public static function provideParse(): iterable
             'http://你好你好' => ['scheme' => 'http', 'host' => '你好你好'],
             'https://faß.ExAmPlE/' => ['scheme' => 'https', 'host' => 'faß.ExAmPlE'],
             'sc://faß.ExAmPlE/' => ['scheme' => 'sc', 'host' => 'faß.ExAmPlE'],
-            'http://%30%78%63%30%2e%30%32%35%30.01' => ['scheme' => 'http', 'host' => '%30%78%63%30%2e%30%32%35%30.01'],
-            'http://%30%78%63%30%2e%30%32%35%30.01%2e' => ['scheme' => 'http', 'host' => '%30%78%63%30%2e%30%32%35%30.01%2e'],
+            'http://%30%78%63%30%2e%30%32%35%30.01' => null,
+            'http://%30%78%63%30%2e%30%32%35%30.01%2e' => null,
             'http://０Ｘｃ０．０２５０．０１' => ['scheme' => 'http', 'host' => '０Ｘｃ０．０２５０．０１'],
             'http://./' => ['scheme' => 'http', 'host' => '.'],
             'http://../' => ['scheme' => 'http', 'host' => '..'],
@@ -689,7 +689,7 @@ public static function provideParse(): iterable
             'urn:ietf:rfc:2648' => ['scheme' => 'urn', 'host' => null],
             'tag:joe@example.org,2001:foo/bar' => ['scheme' => 'tag', 'host' => null],
             'non-special://%E2%80%A0/' => ['scheme' => 'non-special', 'host' => '%E2%80%A0'],
-            'non-special://H%4fSt/path' => ['scheme' => 'non-special', 'host' => 'H%4fSt'],
+            'non-special://H%4fSt/path' => null,
             'non-special://[1:2:0:0:5:0:0:0]/' => ['scheme' => 'non-special', 'host' => '[1:2:0:0:5:0:0:0]'],
             'non-special://[1:2:0:0:0:0:0:3]/' => ['scheme' => 'non-special', 'host' => '[1:2:0:0:0:0:0:3]'],
             'non-special://[1:2::3]:80/' => ['scheme' => 'non-special', 'host' => '[1:2::3]'],
diff --git a/TextSanitizer/UrlSanitizer.php b/TextSanitizer/UrlSanitizer.php
@@ -100,6 +100,10 @@ public static function parse(string $url): ?array
                 return null;
             }
 
+            if (isset($parsedUrl['host']) && self::decodeUnreservedCharacters($parsedUrl['host']) !== $parsedUrl['host']) {
+                return null;
+            }
+
             return $parsedUrl;
         } catch (SyntaxError) {
             return null;
@@ -139,4 +143,16 @@ private static function matchAllowedHostParts(array $uriParts, array $trustedPar
 
         return true;
     }
+
+    /**
+     * Implementation borrowed from League\Uri\Encoder::decodeUnreservedCharacters().
+     */
+    private static function decodeUnreservedCharacters(string $host): string
+    {
+        return preg_replace_callback(
+            ',%(2[1-9A-Fa-f]|[3-7][0-9A-Fa-f]|61|62|64|65|66|7[AB]|5F),',
+            static fn (array $matches): string => rawurldecode($matches[0]),
+            $host
+        );
+    }
 }
