[HttpFoundation] reject invalid method override
This commit is contained in:
parent
b7bdf2ce43
commit
944e60f083
|
@ -1346,22 +1346,37 @@ class Request
|
|||
*/
|
||||
public function getMethod()
|
||||
{
|
||||
if (null === $this->method) {
|
||||
$this->method = strtoupper($this->server->get('REQUEST_METHOD', 'GET'));
|
||||
|
||||
if ('POST' === $this->method) {
|
||||
if ($method = $this->headers->get('X-HTTP-METHOD-OVERRIDE')) {
|
||||
$this->method = strtoupper($method);
|
||||
} elseif (self::$httpMethodParameterOverride) {
|
||||
$method = $this->request->get('_method', $this->query->get('_method', 'POST'));
|
||||
if (\is_string($method)) {
|
||||
$this->method = strtoupper($method);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (null !== $this->method) {
|
||||
return $this->method;
|
||||
}
|
||||
|
||||
return $this->method;
|
||||
$this->method = strtoupper($this->server->get('REQUEST_METHOD', 'GET'));
|
||||
|
||||
if ('POST' !== $this->method) {
|
||||
return $this->method;
|
||||
}
|
||||
|
||||
$method = $this->headers->get('X-HTTP-METHOD-OVERRIDE');
|
||||
|
||||
if (!$method && self::$httpMethodParameterOverride) {
|
||||
$method = $this->request->get('_method', $this->query->get('_method', 'POST'));
|
||||
}
|
||||
|
||||
if (!\is_string($method)) {
|
||||
return $this->method;
|
||||
}
|
||||
|
||||
$method = strtoupper($method);
|
||||
|
||||
if (\in_array($method, ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'PATCH', 'PURGE', 'TRACE'], true)) {
|
||||
return $this->method = $method;
|
||||
}
|
||||
|
||||
if (!preg_match('/^[A-Z]++$/D', $method)) {
|
||||
throw new SuspiciousOperationException(sprintf('Invalid method override "%s".', $method));
|
||||
}
|
||||
|
||||
return $this->method = $method;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
Reference in New Issue