HttpFoundation: Deprecate Request::get #40984
Comments
|
On the one hand: Using On the other hand: Migrating a mature codebase away from that method is a huge PITA. Been there, done that, won't recommend. 🙈 |
|
what i like about this deprecation is it moves decision taking to the user's side (aka the "use instead" part) A) i'll use the correct input source explicitly, B) i'll inline Both acceptable to me, preferring A most likely :) overall i think it's worth forcing users to make the intentions more expressive. |
|
maybe an interim step could also be to deprecate accessing POST in that function. i.e. add a deprecation notice here: Because like I said, I don't see how you could use this safely for POST forms |
|
The method starts with the following disclaimer: And looking at the codebase, this method is exactly used for that: fetching a value either in the route, query or body. Before considering deprecating, we should ensure that these use cases can be updated and that the change would make sense. |
|
@nicolas-grekas Well the thing is that the disclaimer is wrong IMO: It doesn't provide flexibility, it just introduces uncertainty. Because making POST data overrideable by GET just opens you to all sorts of trouble from external parties |
|
Please have a look at the codebase. The places where |
|
I don't doubt that it is used correctly in this repo, I'm more worried about external code of varying quality. Who's to say that every dev using this function read and fully understood the disclaimer? The point is that it's just very easy to get it wrong and introduce vulnerabilities, so to me at least the function seems badly designed. If you want to keep it for use in this repo, maybe tag it as It's weird that I have to keep repeating it, but to me this function seems like a security incident waiting to happen. Is nobody else worried about the abuse potential here? Am I missing something? |
|
I would welcome a PR that removes using the method from the codebase. That could be a nice exercise to practice the proposal and get some more food for thoughts. |
|
out of curiosity, I added (take that list with a grain of salt though: I get tons of errors & failures when running the test suite) Side question: does anyone know a static anaylzer that can find all call sites for a function? I'm looking for this for some other project, and it might come in handy here, too |
PhpStorm? 🙃 |
|
Please consider different naming otherwise. We have +- 60 calls, and im totally not amused about it :D |
|
Plus one for deprecating that function. I agree that conflating get/post params can lead to subtle bugs, often with security implications, and should not be something so easily available to end developers. What's more, I always found it name confusing, as in my mind |
|
aside from being overly long, I think a good name for this function would be |
This PR was merged into the 5.4 branch. Discussion ---------- [HttpFoundation] Mark Request::get() internal | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | no | New feature? | no | Deprecations? | yes | Tickets | Fix #40984 | License | MIT | Doc PR | symfony/symfony-docs#... <!-- required for new features --> we should not forget about this :) Commits ------- e84efc4 [HttpFoundation] Mark Request::get() internal
Symfony version(s) affected: all I think
Description
Request::getlooks at the following data:$this->attributes$this->query$this->requestin that order. So it checks
$_GETbefore it checks$_POST. I haven't checked, but I think it might have been implemented this way because of a misunderstanding about how the ini settingrequest_orderworks: The default there isGP, butso
P(POST) takes precedence overG(GET)and if you think about it, that is the only logical order, because the way Symfony does it, allows for trivial attacks by sending malicious links to users which completely override whatever they enter in a (POST) form.
How to reproduce
If the backend code uses (directly or indirectly)
$request->get()and you have a POST form in the frontend, anyone can make a malicious link like/order?selectedproduct=ultra-deluxe-editionwhich completely overrides anything the user enters in a form, without them knowing. So for POST forms,$request->get()is outright dangerous.If your frontend code uses a GET form, then your backend might as well just use
$request->query->get(), because where is the POST data going to come from? The only way to get POST data in this scenario would be if the backend code adds it itself programmatically. But if the backend code does that, it might as well just add its stuff to$request->attributesor modify$request->querydirectly.Possible Solution
There seems to be no scenario where
Request::getcan be used safely and does something useful. One way to fix this would be to invert the order, i.e. look at POST before looking at GET, but that would be a very hard to detect BC break. So it might be best to just get rid of the function completelyAdditional context
See discussion in #40974
The text was updated successfully, but these errors were encountered: