InjectTemplateListener using different templates for single action

[rutek]

Bug Report

Q	A
Version(s)	3.x

Summary

InjectTemplateListener::injectTemplate uses different logic to determine template name based on action name than AbstractController::getMethodFromAction. I think that view name should be based on real action name instead of request data as it's possible to trigger action A and render view B instead of A.

I don't see any security problems when template names are used to determine template path automatically. Every scenario I found just ends in invalid template name when action has been executed.

Current behavior

InjectTemplateListener::injectTemplate uses action route parameter from URL. It generates view names which can be different for single controller action.

How to reproduce

Within default Laminas Framework configuration:

• Visiting /my-controller/test will call testAction and render (...)/my-controller/test template. = OK
• Visiting /my-controller/test%20 will call testAction and try to render (...)/my-controller/test template. = FAIL (space at the end)
• Visiting /my-controller/teSt will call testAction and try to render (...)/my-controller/te-st template. = FAIL
• Visiting /my-controller/te-st will call testAction and try to render (...)/my-controller/te-st template. = FAIL

Expected behavior

Action name used to generate view name should be filtered in the same way as it's filtered for determining method name within controller.