[Serializer] int is valid when float is expected when deserializing JSON #21165
Conversation
9129074 to
023c604
Compare
023c604 to
fe7228b
Compare
| // PHP's json_decode automatically converts Numbers without a decimal part to integers. | ||
| // To circumvent this behavior, integers are converted to floats when denormalizing JSON based formats and when | ||
| // a float is expected. | ||
| if (Type::BUILTIN_TYPE_FLOAT === $builtinType && false !== strpos($format, JsonEncoder::FORMAT) && is_int($data)) { |
There was a problem hiding this comment.
Is the strpos($format, JsonEncoder::FORMAT) part really necessary? (Why not all formats?)
There was a problem hiding this comment.
It is because some (most) formats make a difference between int and float.
There was a problem hiding this comment.
Well, ok, but would it be harmful to always cast an int it to float if that's what is expected?
Just asking, I'm fine with it it, despite the format check looking kind of weird here. 😅
There was a problem hiding this comment.
I would swap is_int and the string search. Checking a variable type is cheaper (yeah, this is a micro-optimization, but it does not hurt readability at all, and it may be called often when deserializing an object graph
There was a problem hiding this comment.
@stof done
@ogizanagi I'm not sure to understand :) JSON has only a "Number" type, it's a limitation of the format, but for a format having a float type (like YAML for instance), it's not a good security practice to allow a int where a float is expected.
|
In any case: 👍 Status: Reviewed. |
|
👍 |
|
Thank you @dunglas. |
…rializing JSON (dunglas) This PR was squashed before being merged into the 3.1 branch (closes #21165). Discussion ---------- [Serializer] int is valid when float is expected when deserializing JSON | Q | A | ------------- | --- | Branch? | 3.1 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | api-platform/api-platform#37 | License | MIT | Doc PR | n/a JSON only has a Number type corresponding to both `int` and `float` PHP types. PHP's `json_encode`, JavaScript's `JSON.stringify`, Go's `json.Marshal` as well as most other JSON encoders convert floating-point numbers like `12.0` to `12` (the decimal part is dropped when possible). PHP's `json_decode` automatically converts Numbers without a decimal part to integers. Actually, the Serializer rejects integers when a float is expected, this PR fixes this behavior when denormalizing JSON-based formats. Port of api-platform/core#714. /cc @gorghoa @Shine-neko Commits ------- 4125455 [Serializer] int is valid when float is expected when deserializing JSON
JSON only has a Number type corresponding to both
intandfloatPHP types.PHP's
json_encode, JavaScript'sJSON.stringify, Go'sjson.Marshalas well as most other JSON encoders convert floating-point numbers like12.0to12(the decimal part is dropped when possible).PHP's
json_decodeautomatically converts Numbers without a decimal part to integers.Actually, the Serializer rejects integers when a float is expected, this PR fixes this behavior when denormalizing JSON-based formats.
Port of api-platform/core#714.
/cc @gorghoa @Shine-neko