Skip to content

_method parameter type is not checked #28079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Phobetor opened this issue Jul 27, 2018 · 0 comments
Closed

_method parameter type is not checked #28079

Phobetor opened this issue Jul 27, 2018 · 0 comments
Labels
Bug HttpFoundation Status: Needs Review

Comments

@Phobetor
Copy link
Contributor

Phobetor commented Jul 27, 2018
edited
Loading

Symfony version(s) affected: all supported versions (and >=2.1, too)

Description
Given that HTTP method override is active, setting an array as _method parameter in a random form with POST method raises a PHP warning.

How to reproduce
Activate HTTP method override

framework:
    http_method_override: true

Submit a random form with POST method to a URL which contains an array as _method query parameter (e. g. https://example.com?_method[]=foo&_method[]=bar).

Possible Solution
Request::getMethod() should check the type of the acquired _method value and don't use it if it is no string.

Additional context

PHP Warning:  strtoupper() expects parameter 1 to be string, array given in var/bootstrap.php.cache on line 977

bootstrap.php.cache line 977 is equivalent to src/Symfony/Component/HttpFoundation/Request.php

$this->method = strtoupper($this->request->get('_method', $this->query->get('_method', 'POST')));
@Phobetor Phobetor changed the title _method parameter is not check for type _method parameter type is not checked Jul 27, 2018
@Phobetor Phobetor mentioned this issue Jul 27, 2018
Merged
nicolas-grekas added a commit that referenced this issue Jul 29, 2018
@nicolas-grekas
bug #28080 [HttpFoundation] fixed using _method parameter with invali…
86dd8db 
…d type (Phobetor)

This PR was squashed before being merged into the 2.8 branch (closes #28080).

Discussion
----------

[HttpFoundation] fixed using _method parameter with invalid type

| Q             | A
| ------------- | ---
| Branch?       | 2.8
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #28079
| License       | MIT
| Doc PR        | -

This change makes sure that an incoming `_method` parameter is only used when it is a string value.

Commits
-------

63583de [HttpFoundation] fixed using _method parameter with invalid type
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug HttpFoundation Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nicolas-grekas @Phobetor @xabbuh @carsonbot