diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bug #40506 [Validator] Avoid triggering the autoloader for user-input values (Seldaek)

Browse Source 
This PR was squashed before being merged into the 4.4 branch.

Discussion
----------

[Validator] Avoid triggering the autoloader for user-input values

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       |
| License       | MIT
| Doc PR        |

Following-up to https://twitter.com/seldaek/status/1372450636361502721 - mostly to see if the build passes or if this breaks some undocumented/unclear-to-me assumptions.

Essentially using the `Valid` constraint should only validate objects if they exist as objects. If a user sends a string and that gets assigned to a property, `Valid` should not attempt autoloading that user-given string.

As far as I can tell, this is used in two places:

- acb32dd396/src/Symfony/Component/Validator/Validator/RecursiveContextualValidator.php (L364-L365) where non-objects are anyway ignored, so this change is harmless there.
- acb32dd396/src/Symfony/Component/Validator/Validator/RecursiveContextualValidator.php (L652-L660) where it's explicitly passing anything in there to get the proper exception, so my change makes sure that exception is thrown *before* autoloading attempts. I am just not 100% sure if there are cases where validateGenericNode will receive a class name as a string to validate in $value. I can't imagine why it would but that doesn't mean it's true.

Commits
-------

e45eb23ba2 [Validator] Avoid triggering the autoloader for user-input values
This commit is contained in:
Nicolas Grekas 2021-03-23 12:26:37 +01:00
commit 689056ef7f
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/Symfony/Component/Validator/Validator/RecursiveContextualValidator.php
View File

@ -656,8 +656,10 @@ class RecursiveContextualValidator implements ContextualValidatorInterface
return;
}
// If the value is a scalar, pass it anyway, because we want
// a NoSuchMetadataException to be thrown in that case
if (!\is_object($value)) {
throw new NoSuchMetadataException(sprintf('Cannot create metadata for non-objects. Got: "%s".', \gettype($value)));
}
$this->validateObject(
$value,
$propertyPath,