Merge pull request #662 from wmde/trailingNewline

Fix newline injection vector in EntityId validation

Author: mariushoch

src/Entity/ItemId.php

@@ -15,7 +15,7 @@ class ItemId extends EntityId {
 	/**
 	 * @since 0.5
 	 */
-	const PATTERN = '/^Q[1-9]\d*$/i';
+	const PATTERN = '/^Q[1-9]\d*\z/i';
 
 	/**
 	 * @param string $idSerialization

src/Entity/PropertyId.php

@@ -15,7 +15,7 @@ class PropertyId extends EntityId {
 	/**
 	 * @since 0.5
 	 */
-	const PATTERN = '/^P[1-9]\d*$/i';
+	const PATTERN = '/^P[1-9]\d*\z/i';
 
 	/**
 	 * @param string $idSerialization

tests/unit/Entity/ItemIdTest.php

@@ -52,6 +52,7 @@ public function testCannotConstructWithInvalidSerialization( $invalidSerializati
 
 	public function invalidIdSerializationProvider() {
 		return array(
+			array( "Q1\n" ),
 			array( 'q' ),
 			array( 'p1' ),
 			array( 'qq1' ),

tests/unit/Entity/PropertyIdTest.php

@@ -52,6 +52,7 @@ public function testCannotConstructWithInvalidSerialization( $invalidSerializati
 
 	public function invalidIdSerializationProvider() {
 		return array(
+			array( "P1\n" ),
 			array( 'p' ),
 			array( 'q1' ),
 			array( 'pp1' ),