feature #16076 [HttpFoundation] change precedence of parameters in Request::get (Tobion)
This PR was merged into the 3.0-dev branch.
Discussion
----------
[HttpFoundation] change precedence of parameters in Request::get
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | yes
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Allowing the request attributes to be overwritten via GET parameters is risky and made #8966 even worse.
It is even more risky because it skips the requirements checks as configured in routing. So people that set requirements for routing placeholders like `\d+` or `html|json` can be sure it is validated when using the routing variables. But if developers use `$request->get()` to retrieve them, anybody from outside can set any value for those.
Commits
-------
e8d6764
[HttpFoundation] change precedence of parameters in Request::get
This commit is contained in:
commit
88e2d70df0
@ -1,6 +1,11 @@
|
||||
CHANGELOG
|
||||
=========
|
||||
|
||||
3.0.0
|
||||
-----
|
||||
|
||||
* The precedence of parameters returned from `Request::get()` changed from "GET, PATH, BODY" to "PATH, GET, BODY"
|
||||
|
||||
2.8.0
|
||||
-----
|
||||
|
||||
|
@ -700,19 +700,13 @@ class Request
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a "parameter" value.
|
||||
* Gets a "parameter" value from any bag.
|
||||
*
|
||||
* This method is mainly useful for libraries that want to provide some flexibility.
|
||||
* This method is mainly useful for libraries that want to provide some flexibility. If you don't need the
|
||||
* flexibility in controllers, it is better to explicitly get request parameters from the appropriate
|
||||
* public property instead (attributes, query, request).
|
||||
*
|
||||
* Order of precedence: GET, PATH, POST
|
||||
*
|
||||
* Avoid using this method in controllers:
|
||||
*
|
||||
* * slow
|
||||
* * prefer to get from a "named" source
|
||||
*
|
||||
* It is better to explicitly get request parameters from the appropriate
|
||||
* public property instead (query, attributes, request).
|
||||
* Order of precedence: PATH (routing placeholders or custom attributes), GET, BODY
|
||||
*
|
||||
* @param string $key the key
|
||||
* @param mixed $default the default value
|
||||
@ -721,11 +715,11 @@ class Request
|
||||
*/
|
||||
public function get($key, $default = null)
|
||||
{
|
||||
if ($this !== $result = $this->query->get($key, $this)) {
|
||||
if ($this !== $result = $this->attributes->get($key, $this)) {
|
||||
return $result;
|
||||
}
|
||||
|
||||
if ($this !== $result = $this->attributes->get($key, $this)) {
|
||||
if ($this !== $result = $this->query->get($key, $this)) {
|
||||
return $result;
|
||||
}
|
||||
|
||||
|
@ -1221,6 +1221,25 @@ class RequestTest extends \PHPUnit_Framework_TestCase
|
||||
$this->assertEquals('/path%20test/info', $request->getPathInfo());
|
||||
}
|
||||
|
||||
public function testGetParameterPrecedence()
|
||||
{
|
||||
$request = new Request();
|
||||
$request->attributes->set('foo', 'attr');
|
||||
$request->query->set('foo', 'query');
|
||||
$request->request->set('foo', 'body');
|
||||
|
||||
$this->assertSame('attr', $request->get('foo'));
|
||||
|
||||
$request->attributes->remove('foo');
|
||||
$this->assertSame('query', $request->get('foo'));
|
||||
|
||||
$request->query->remove('foo');
|
||||
$this->assertSame('body', $request->get('foo'));
|
||||
|
||||
$request->request->remove('foo');
|
||||
$this->assertNull($request->get('foo'));
|
||||
}
|
||||
|
||||
public function testGetPreferredLanguage()
|
||||
{
|
||||
$request = new Request();
|
||||
|
Reference in New Issue
Block a user