Merge pull request #2310 from acelaya-forks/feature/less-restrictive-…

…custom-slugs Be less restrictive on what characters are disallowed in custom slugs
shlinkio · Dec 17, 2024 · 736e09a · 736e09a
2 parents d533adf + e80af78
commit 736e09a
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com), and this
 
     This option effectively replaces the old `REDIRECT_APPEND_EXTRA_PATH` option, which is now deprecated and will be removed in Shlink 5.0.0
 
+* [#2156](https://github.com/shlinkio/shlink/issues/2156) Be less restrictive on what characters are disallowed in custom slugs.
+
+    All [URI-reserved characters](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) were disallowed up until now, but from now on, only the gen-delimiters are.
+
 ### Changed
 * [#2281](https://github.com/shlinkio/shlink/issues/2281) Update docker image to PHP 8.4
 * [#2124](https://github.com/shlinkio/shlink/issues/2124) Improve how Shlink decides if a GeoLite db file needs to be downloaded, and reduces the chances for API limits to be reached.

diff --git a/module/Core/src/ShortUrl/Model/Validation/CustomSlugValidator.php b/module/Core/src/ShortUrl/Model/Validation/CustomSlugValidator.php
@@ -46,10 +46,10 @@ public function isValid(mixed $value): bool
             return false;
         }
 
-        // URL reserved characters: https://datatracker.ietf.org/doc/html/rfc3986#section-2.2
-        $reservedChars = "!*'();:@&=+$,?%#[]";
+        // URL gen-delimiter reserved characters, except `/`: https://datatracker.ietf.org/doc/html/rfc3986#section-2.2
+        $reservedChars = ':?#[]@';
         if (! $this->options->multiSegmentSlugsEnabled) {
-            // Slashes should be allowed for multi-segment slugs
+            // Slashes should only be allowed if multi-segment slugs are enabled
             $reservedChars .= '/';
         }
 

diff --git a/module/Core/test/ShortUrl/Model/Validation/CustomSlugValidatorTest.php b/module/Core/test/ShortUrl/Model/Validation/CustomSlugValidatorTest.php
@@ -59,13 +59,11 @@ public function valuesWithReservedCharsAreInvalid(string $value): void
 
     public static function provideInvalidValues(): iterable
     {
+        yield ['port:8080'];
         yield ['foo?bar=baz'];
         yield ['some-thing#foo'];
-        yield ['call()'];
-        yield ['array[]'];
+        yield ['brackets[]'];
         yield ['[email protected]'];
-        yield ['wildcard*'];
-        yield ['$500'];
     }
 
     public function createValidator(bool $multiSegmentSlugsEnabled = false): CustomSlugValidator