[FrameworkBundle] Forbid env parameters in routing configuration

nicolas-grekas · nicolas-grekas · commit 8d806282dc09 · 2016-11-29T18:09:44.000+01:00
diff --git a/Routing/Router.php b/Routing/Router.php
@@ -146,6 +146,10 @@ private function resolve($value)
                 return '%%';
             }
 
+            if (preg_match('/^env\(\w+\)$/', $match[1])) {
+                throw new RuntimeException(sprintf('Using "%%%s%%" is not allowed in routing configuration.', $match[1]));
+            }
+
             $resolved = $container->getParameter($match[1]);
 
             if (is_string($resolved) || is_numeric($resolved)) {
diff --git a/Tests/Routing/RouterTest.php b/Tests/Routing/RouterTest.php
@@ -131,6 +131,20 @@ public function testPatternPlaceholders()
         );
     }
 
+    /**
+     * @expectedException \Symfony\Component\DependencyInjection\Exception\RuntimeException
+     * @expectedExceptionMessage Using "%env(FOO)%" is not allowed in routing configuration.
+     */
+    public function testEnvPlaceholders()
+    {
+        $routes = new RouteCollection();
+
+        $routes->add('foo', new Route('/%env(FOO)%'));
+
+        $router = new Router($this->getServiceContainer($routes), 'foo');
+        $router->getRouteCollection();
+    }
+
     public function testHostPlaceholders()
     {
         $routes = new RouteCollection();

Original file line number	Diff line number	Diff line change
`@@ -146,6 +146,10 @@ private function resolve($value)`
`146`	`146`	`return '%%';`
`147`	`147`	`}`
`148`	`148`
	`149`	`+ if (preg_match('/^env\(\w+\)$/', $match[1])) {`
	`150`	`+ throw new RuntimeException(sprintf('Using "%%%s%%" is not allowed in routing configuration.', $match[1]));`
	`151`	`+ }`
	`152`	`+`
`149`	`153`	`$resolved = $container->getParameter($match[1]);`
`150`	`154`
`151`	`155`	`if (is_string($resolved) \|\| is_numeric($resolved)) {`