bug #28080 [HttpFoundation] fixed using _method parameter with invalid type (Phobetor)
This PR was squashed before being merged into the 2.8 branch (closes #28080).
Discussion
----------
[HttpFoundation] fixed using _method parameter with invalid type
| Q | A
| ------------- | ---
| Branch? | 2.8
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #28079
| License | MIT
| Doc PR | -
This change makes sure that an incoming `_method` parameter is only used when it is a string value.
Commits
-------
63583debd2 [HttpFoundation] fixed using _method parameter with invalid type
This commit is contained in:
Nicolas Grekas
commit
86dd8dbfdd
|
|
@ -1276,7 +1276,10 @@ class Request
|
|||
if ($method = $this->headers->get('X-HTTP-METHOD-OVERRIDE')) {
|
||||
$this->method = strtoupper($method);
|
||||
} elseif (self::$httpMethodParameterOverride) {
|
||||
$this->method = strtoupper($this->request->get('_method', $this->query->get('_method', 'POST')));
|
||||
$method = $this->request->get('_method', $this->query->get('_method', 'POST'));
|
||||
if (\is_string($method)) {
|
||||
$this->method = strtoupper($method);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -816,6 +816,11 @@ class RequestTest extends TestCase
|
|||
$request->setMethod('POST');
|
||||
$request->headers->set('X-HTTP-METHOD-OVERRIDE', 'delete');
|
||||
$this->assertEquals('DELETE', $request->getMethod(), '->getMethod() returns the method from X-HTTP-Method-Override if defined and POST');
|
||||
|
||||
$request = new Request();
|
||||
$request->setMethod('POST');
|
||||
$request->query->set('_method', array('delete', 'patch'));
|
||||
$this->assertSame('POST', $request->getMethod(), '->getMethod() returns the request method if invalid type is defined in query');
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Reference in New Issue