Commit 81e3b67
committed
Validate PHP classnames in di.xml files via schema
The preferenceType @for/@type attributes, the typeType @name attribute,
the virtualTypeType @type attribute and the pluginType @type attribute
contain class-names (FQCNs) which should not start with a leading
backslash (U+005C "\") and should not contain other invalid character
sequences that would represent an invalid PHP class-name.
Previously this was possible and these errors got unnoticed within di.xml
configuration file validation.
The ObjectManager - a user of these configurations - handles this common
error in user input in part so far by removing any trailing slashes with
multiple calls like:
$type = ltrim($type, '\\');
This change has been introduced in 33ebc24 and could be classified as a
workaround for a quite common mistake when specifying an FQCN that despite
the varying notations in the PHP manual due to the contextual resolution
rules (and different to a file-systems absolute path in POSIX) must not
start with a leading separator as type or class-name.
When using a string-value as class-name (e.g. class_exists() calls) the
class name is always an FQCN as namespacing in PHP is contextual within
source-code for identifiers only and not for strings.
So relative class-names (like those with a leading backslash) do not
apply for strings. This is the case in configuration files like di.xml
files. The di.xml files use the
urn:magento:framework:ObjectManager/etc/config.xsd
schema location which is resolved by UrnResolver (6379732) to
lib/internal/Magento/Framework/ObjectManager/etc/config.xsd
That schema did validate class-name attribute values only against the
simple type of being strings (xs:string). As a class-name in PHP is a
valid string also if starting with the backslash character (and other
invalid names, like digits in front), this commit extends the schema
to validate against the regular expression provided by the PHP manual [1]:
^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$
by adding a new simple-type called "phpFqcn" that qualifies the string-
base-type with the from PHP manual translated pattern:
[a-zA-Z_-ÿ][a-zA-Z0-9_-ÿ]*
extended for namespaced class-names:
([a-zA-Z_-ÿ][a-zA-Z0-9_-ÿ]*)(\\[a-zA-Z_-ÿ][a-zA-Z0-9_-ÿ]*)*
The change ensures that the said attribute values are validated and
invalid class-names are recognized during schema based validation.
This change prevents that configured PHP-types can be autoloaded when
used w/o smudging (see the ltrim() operation). It has been documented [2]
that the leading backslash prevents correct file-resolution when auto-
loading with the Composer autoloader, a component actively used by the
Magento application.
This change adheres to existing PR #8638 and relates to issue #8635.
Refs:
- #8635
- #8638
- [1] https://php.net/language.oop5.basic
- [2] http://magento.stackexchange.com/a/161010
- 33ebc24
- 63797321 parent 0b243b8 commit 81e3b67
1 file changed
+19
-5
lines changedLines changed: 19 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
29 | 43 | | |
30 | 44 | | |
31 | 45 | | |
| |||
102 | 116 | | |
103 | 117 | | |
104 | 118 | | |
105 | | - | |
106 | | - | |
| 119 | + | |
| 120 | + | |
107 | 121 | | |
108 | 122 | | |
109 | 123 | | |
| |||
121 | 135 | | |
122 | 136 | | |
123 | 137 | | |
124 | | - | |
| 138 | + | |
125 | 139 | | |
126 | 140 | | |
127 | 141 | | |
| |||
133 | 147 | | |
134 | 148 | | |
135 | 149 | | |
136 | | - | |
| 150 | + | |
137 | 151 | | |
138 | 152 | | |
139 | 153 | | |
140 | 154 | | |
141 | 155 | | |
142 | 156 | | |
143 | | - | |
| 157 | + | |
144 | 158 | | |
145 | 159 | | |
146 | 160 | | |
| |||
0 commit comments