The official original Q&A is a bit messy, let me sort it out for you under line 553 of the /thinkphp/library/think/App.php file
// 是否自动转换控制器和操作名
$convert = is_bool($convert) ? $convert : $config['url_convert'];
// 获取控制器名
$controller = strip_tags($result[1] ?: $config['default_controller']);
$controller = $convert ? strtolower($controller) : $controller;
// 修补漏洞写的
if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {
throw new HttpException(404, 'controller not exists:' . $controller);
}Add below get controller
if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {
throw new HttpException(404, 'controller not exists:' . $controller);
}We saw the need to add this way, so why do we need to add it like this?
The preg_match() function is used for regular expression matching, returns 1 if successful, otherwise returns 0.
preg_match() will stop matching after one successful match. If you want to match all the results, you need to use the preg_match_all() function
and if (!preg_match('/^[A-Za-z](\w|\.) *$/', $controller) to determine whether the obtained controller name $control belongs to /^[A-Za-z](\w|\.)*$/
/^$/ represents the head and tail of the regular pattern, [a-zA-Z] represents the letters from a to z in upper and lower case, and the * sign behind it means to match 0 or more characters,
If it belongs to then throw a new function, throw new HttpException, 404 and prompt controller not exists
Solution reference: