Fixes #14903: Fixed route with extra dashes is executed controller while it should not

2026-03-04 06:24:36 +01:00 · 2018-01-09 19:59:07 +05:00
parent 72b69e359a
commit a559b9fa76
3 changed files with 57 additions and 5 deletions
--- a/framework/base/Module.php
+++ b/framework/base/Module.php
@@ -626,14 +626,13 @@ class Module extends ServiceLocator
            $className = substr($id, $pos + 1);
        }

-        if (!preg_match('%^[a-z][a-z0-9\\-_]*$%', $className)) {
-            return null;
-        }
-        if ($prefix !== '' && !preg_match('%^[a-z0-9_/]+$%i', $prefix)) {
+        if ($this->isIncorrectClassNameOrPrefix($className, $prefix)) {
            return null;
        }

-        $className = str_replace(' ', '', ucwords(str_replace('-', ' ', $className))) . 'Controller';
+        $className = preg_replace_callback('%-([a-z0-9_])%i', function ($matches) {
+                return ucfirst($matches[1]);
+            }, ucfirst($className)) . 'Controller';
        $className = ltrim($this->controllerNamespace . '\\' . str_replace('/', '\\', $prefix) . $className, '\\');
        if (strpos($className, '-') !== false || !class_exists($className)) {
            return null;
@@ -649,6 +648,23 @@ class Module extends ServiceLocator
        return null;
    }

+    /**
+     * @param string $className
+     * @param string $prefix
+     * @return bool
+     */
+    private function isIncorrectClassNameOrPrefix($className, $prefix)
+    {
+        if (!preg_match('%^[a-z][a-z0-9\\-_]*$%', $className)) {
+            return true;
+        }
+        if ($prefix !== '' && !preg_match('%^[a-z0-9_/]+$%i', $prefix)) {
+            return true;
+        }
+
+        return false;
+    }
+
    /**
     * This method is invoked right before an action within this module is executed.
     *