Skip to content

Commit

Permalink
Fixes yiisoft#4409: Upper case letters in subdirectory prefixes of co…
Browse files Browse the repository at this point in the history
…ntroller IDs were not properly handled
  • Loading branch information
qiangxue committed Jul 24, 2014
1 parent 4ac6777 commit 390a6c7
Showing 3 changed files with 16 additions and 9 deletions.
13 changes: 8 additions & 5 deletions docs/guide/structure-controllers.md
Original file line number Diff line number Diff line change
@@ -112,11 +112,13 @@ For this reason, controller IDs are often nouns referring to the types of the re
For example, you may use `article` as the ID of a controller that handles article data.

By default, controller IDs should contain these characters only: English letters in lower case, digits,
underscores, dashes and forward slashes. For example, `article`, `post-comment`, `admin/post2-comment` are
all valid controller IDs, while `article?`, `PostComment`, `admin\post` are not.
underscores, dashes and forward slashes. For example, `article` and `post-comment` are both valid controller IDs,
while `article?`, `PostComment`, `admin\post` are not.

The dashes in a controller ID are used to separate words, while the forward slashes to organize controllers in
sub-directories.
A controller ID may also contain a subdirectory prefix. For example, `admin/article` stands for an `article` controller
in the `admin` subdirectory under the [[yii\base\Application::controllerNamespace|controller namespace]].
Valid characters for subdirectory prefixes include: English letters in lower and upper cases, digits, underscores and
forward slashes, where forward slashes are used as separators for multi-level subdirectories (e.g. `panels/admin`).


### Controller Class Naming <a name="controller-class-naming"></a>
@@ -134,7 +136,8 @@ takes the default value `app\controllers`:

* `article` derives `app\controllers\ArticleController`;
* `post-comment` derives `app\controllers\PostCommentController`;
* `admin/post2-comment` derives `app\controllers\admin\Post2CommentController`.
* `admin/post-comment` derives `app\controllers\admin\PostCommentController`;
* `adminPanels/post-comment` derives `app\controllers\adminPanels\PostCommentController`.

Controller classes must be [autoloadable](concept-autoloading.md). For this reason, in the above examples,
the `article` controller class should be saved in the file whose [alias](concept-aliases.md)
1 change: 1 addition & 0 deletions framework/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -69,6 +69,7 @@ Yii Framework 2 Change Log
- Bug #4241: `yii\widgets\Pjax` was incorrectly setting container id (mitalcoi)
- Bug #4276: Added check for UPLOAD_ERR_NO_FILE in `yii\web\UploadedFile` and return null if no file was uploaded (OmgDef)
- Bug #4342: mssql (dblib) driver does not support getting attributes (tof06)
- Bug #4409: Upper case letters in subdirectory prefixes of controller IDs were not properly handled (qiangxue)
- Bug: Fixed inconsistent return of `\yii\console\Application::runAction()` (samdark)
- Bug: URL encoding for the route parameter added to `\yii\web\UrlManager` (klimov-paul)
- Bug: Fixed the bug that requesting protected or private action methods would cause 500 error instead of 404 (qiangxue)
11 changes: 7 additions & 4 deletions framework/base/Module.php
Original file line number Diff line number Diff line change
@@ -548,10 +548,6 @@ public function createController($route)
*/
public function createControllerByID($id)
{
if (!preg_match('%^[a-z0-9\\-_/]+$%', $id)) {
return null;
}

$pos = strrpos($id, '/');
if ($pos === false) {
$prefix = '';
@@ -561,6 +557,13 @@ public function createControllerByID($id)
$className = substr($id, $pos + 1);
}

if (!preg_match('%^[a-z][a-z0-9\\-_]*$%', $className)) {
return null;
}
if ($prefix !== '' && !preg_match('%^[a-z0-9_/]+$%i', $prefix)) {
return null;
}

$className = str_replace(' ', '', ucwords(str_replace('-', ' ', $className))) . 'Controller';
$className = ltrim($this->controllerNamespace . '\\' . str_replace('/', '\\', $prefix) . $className, '\\');
if (strpos($className, '-') !== false || !class_exists($className)) {

0 comments on commit 390a6c7

Please sign in to comment.