Skip to content

[6.x] Don't copy query parameters to Request.request #36708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[6.x] Don't copy query parameters to Request.request #36708

wants to merge 1 commit into from

Conversation

mixlion
Copy link

@mixlion mixlion commented Mar 23, 2021

While creating a Request from the base SymfonyRequest, its query (GET) parameters are copied to the request field, but it shouldn't as the field's documentation clearly says it contains only body (POST) parameters:

/**
   * Request body parameters ($_POST).
   *
   * @var ParameterBag
   */
  public $request;

Due to this bug, PSR request created in RoutingServiceProvider via PsrHttpFactory returns query parameters with the getParsedBody method, but it obviously shoudn't.

The bug was introduced in #7052, the reason for the changes was to copy the JSON body, but query parameters was copied as well.

The same issue in #22805 and #17087.

There might be misusing of this field due to the long presence of this bug (from 4.2), maybe it is better to fix it in master?

@taylorotwell
Copy link
Member

We can't make such a breaking change.

@LukeTowers LukeTowers mentioned this pull request Jul 5, 2021
Merged
taylorotwell pushed a commit that referenced this pull request Aug 9, 2021
@LukeTowers
[9.x] Manually populate POST request body with JSON data only when re…
13e4a7f 
…quired (#37921)

* Manually populate POST request body with JSON data only when required

This fixes a 6 year old bug introduced in #7026 where GET requests would have GET data populated in the POST body property leading to issues around Request::post() and $request->getParsedBody() returning GET values when called on GET requests.

This is a resubmit of #17087 & #36708, and fixes #22805. Credit to @dan-har for the initial solution and @mixlion for updating it for >=6.x.

The original PR was meant to support POST requests where their Content-type was set to application/json (instead of the typical application/x-www-form-urlencoded), but it introduced a subtle and dangerous bug because while $request->getInputSource() does return the JSON data for JSON requests, it also returns the GET data for GET requests. This commit solves the underlying issue without breaking compatibility with the original functionality.

* Add test for non-JSON GET requests

* Style fixes

* Extra space removal

* GitHub's editor needs some work
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mixlion @taylorotwell