Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Validate PHP classnames in di.xml files via schema
The preferenceType @for/@type attributes, the typeType @name attribute, the virtualTypeType @type attribute and the pluginType @type attribute contain class-names (FQCNs) which should not start with a leading backslash (U+005C "\") and should not contain other invalid character sequences that would represent an invalid PHP class-name. Previously this was possible and these errors got unnoticed within di.xml configuration file validation. The ObjectManager - a user of these configurations - handles this common error in user input in part so far by removing any trailing slashes with multiple calls like: $type = ltrim($type, '\\'); This change has been introduced in 33ebc24 and could be classified as a workaround for a quite common mistake when specifying an FQCN that despite the varying notations in the PHP manual due to the contextual resolution rules (and different to a file-systems absolute path in POSIX) must not start with a leading separator as type or class-name. When using a string-value as class-name (e.g. class_exists() calls) the class name is always an FQCN as namespacing in PHP is contextual within source-code for identifiers only and not for strings. So relative class-names (like those with a leading backslash) do not apply for strings. This is the case in configuration files like di.xml files. The di.xml files use the urn:magento:framework:ObjectManager/etc/config.xsd schema location which is resolved by UrnResolver (6379732) to lib/internal/Magento/Framework/ObjectManager/etc/config.xsd That schema did validate class-name attribute values only against the simple type of being strings (xs:string). As a class-name in PHP is a valid string also if starting with the backslash character (and other invalid names, like digits in front), this commit extends the schema to validate against the regular expression provided by the PHP manual [1]: ^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$ by adding a new simple-type called "phpFqcn" that qualifies the string- base-type with the from PHP manual translated pattern: [a-zA-Z_-ÿ][a-zA-Z0-9_-ÿ]* extended for namespaced class-names: ([a-zA-Z_-ÿ][a-zA-Z0-9_-ÿ]*)(\\[a-zA-Z_-ÿ][a-zA-Z0-9_-ÿ]*)* The change ensures that the said attribute values are validated and invalid class-names are recognized during schema based validation. This change prevents that configured PHP-types can be autoloaded when used w/o smudging (see the ltrim() operation). It has been documented [2] that the leading backslash prevents correct file-resolution when auto- loading with the Composer autoloader, a component actively used by the Magento application. This change adheres to existing PR #8638 and relates to issue #8635. Refs: - #8635 - #8638 - [1] https://php.net/language.oop5.basic - [2] http://magento.stackexchange.com/a/161010 - 33ebc24 - 6379732
- Loading branch information