[DependencyInjection][Routing][HttpClient] Reject URIs that contain invalid characters

Author: nicolas-grekas

EnvVarProcessor.php

@@ -310,6 +310,12 @@ public function getEnv(string $prefix, string $name, \Closure $getEnv): mixed
             if (!isset($params['scheme'], $params['host'])) {
                 throw new RuntimeException(\sprintf('Invalid URL in env var "%s": scheme and host expected.', $name));
             }
+            if (('\\' !== \DIRECTORY_SEPARATOR || 'file' !== $params['scheme']) && false !== ($i = strpos($env, '\\')) && $i < strcspn($env, '?#')) {
+                throw new RuntimeException(\sprintf('Invalid URL in env var "%s": backslashes are not allowed.', $name));
+            }
+            if (\ord($env[0]) <= 32 || \ord($env[-1]) <= 32 || \strlen($env) !== strcspn($env, "\r\n\t")) {
+                throw new RuntimeException(\sprintf('Invalid URL in env var "%s": leading/trailing ASCII control characters or whitespaces are not allowed.', $name));
+            }
             $params += [
                 'port' => null,
                 'user' => null,

Tests/EnvVarProcessorTest.php

@@ -996,6 +996,27 @@ public static function provideGetEnvUrlPath()
         ];
     }
 
+    /**
+     * @testWith ["http://foo.com\\bar"]
+     *           ["\\\\foo.com/bar"]
+     *           ["a\rb"]
+     *           ["a\nb"]
+     *           ["a\tb"]
+     *           ["\u0000foo"]
+     *           ["foo\u0000"]
+     *           [" foo"]
+     *           ["foo "]
+     *           [":"]
+     */
+    public function testGetEnvBadUrl(string $url)
+    {
+        $this->expectException(RuntimeException::class);
+
+        (new EnvVarProcessor(new Container()))->getEnv('url', 'foo', static function () use ($url): string {
+            return $url;
+        });
+    }
+
     /**
      * @testWith    ["", "string"]
      *              [null, ""]