Fix #18544: Fix `yii\validators\NumberValidator` to disallow values with whitespaces

4 years ago · cfe782b3f5
4 changed files with 34 additions and 4 deletions
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@ -4,6 +4,7 @@ Yii Framework 2 Change Log
 2.0.42 under development
 ------------------------

+- Bug #18544: Fix `yii\validators\NumberValidator` to disallow values with whitespaces (bizley)
 - Bug #18552: Fix bug with `yii\data\SqlDataProvider` not properly handling SQL with `ORDER BY` clause (bizley)


--- a/framework/UPGRADE.md
+++ b/framework/UPGRADE.md
@ -51,6 +51,13 @@ if you want to upgrade from version A to version C and there is
 version B between A and C, you need to follow the instructions
 for both A and B.

+Upgrade from Yii 2.0.41
+-----------------------
+
+* `NumberValidator` (`number`, `double`, `integer`) does not allow values with leading or terminating (non-trimmed) 
+  white spaces anymore. If your application expects non-trimmed values provided to this validator make sure to trim 
+  them first (i.e. by using `trim` / `filter` "validators").
+
 Upgrade from Yii 2.0.40
 -----------------------

--- a/framework/validators/NumberValidator.php
+++ b/framework/validators/NumberValidator.php
@ -49,12 +49,12 @@ class NumberValidator extends Validator
    /**
     * @var string the regular expression for matching integers.
     */
-    public $integerPattern = '/^\s*[+-]?\d+\s*$/';
+    public $integerPattern = '/^[+-]?\d+$/';
    /**
     * @var string the regular expression for matching numbers. It defaults to a pattern
     * that matches floating numbers with optional exponential part (e.g. -1.23e-10).
     */
-    public $numberPattern = '/^\s*[-+]?[0-9]*\.?[0-9]+([eE][-+]?[0-9]+)?\s*$/';
+    public $numberPattern = '/^[-+]?[0-9]*\.?[0-9]+([eE][-+]?[0-9]+)?$/';


    /**
@ -118,7 +118,7 @@ class NumberValidator extends Validator
        return null;
    }

-    /*
+    /**
     * @param mixed $value the data value to be checked.
     */
    private function isNotNumber($value)
--- a/tests/framework/validators/NumberValidatorTest.php
+++ b/tests/framework/validators/NumberValidatorTest.php
@ -332,6 +332,28 @@ class NumberValidatorTest extends TestCase
        $val->validateAttribute($model, 'attr_number');
        $this->assertFalse($model->hasErrors('attr_number'));
    }
+
+    /**
+     * @see https://github.com/yiisoft/yii2/issues/18544
+     */
+    public function testNotTrimmedStrings()
+    {
+        $val = new NumberValidator(['integerOnly' => true]);
+        $this->assertFalse($val->validate(' 1 '));
+        $this->assertFalse($val->validate(' 1'));
+        $this->assertFalse($val->validate('1 '));
+        $this->assertFalse($val->validate("\t1\t"));
+        $this->assertFalse($val->validate("\t1"));
+        $this->assertFalse($val->validate("1\t"));
+
+        $val = new NumberValidator();
+        $this->assertFalse($val->validate(' 1.1 '));
+        $this->assertFalse($val->validate(' 1.1'));
+        $this->assertFalse($val->validate('1.1 '));
+        $this->assertFalse($val->validate("\t1.1\t"));
+        $this->assertFalse($val->validate("\t1.1"));
+        $this->assertFalse($val->validate("1.1\t"));
+    }
 }

 class TestClass