-
-
Notifications
You must be signed in to change notification settings - Fork 9.6k
[HttpFoundation] Deprecate passing invalid URI to Request::create #49376
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[HttpFoundation] Deprecate passing invalid URI to Request::create #49376
Conversation
Hey! Thanks for your PR. You are targeting branch "6.3" but it seems your PR description refers to branch "5.4". Cheers! Carsonbot |
Wasn't quite sure how the Changelog/Deprecation documentation was suppose to work so that is missing but should otherwise be good to go. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also fix the coding standards as reported by fabbot.
ab9e844
to
86230fb
Compare
@stof Fixed the relevant fabbot changes.
Didn't touch this code so maybe should be handled else where? |
Yes, that one you can ignore. But the |
Also, the failing tests appear to be related. |
the test failure is because you forogt to update the assertion in the test when fixing the text of the deprecation message. |
Fixes: symfony#47084 Passing an invalid URI to Request::create triggers an undefined code path. In PHP7 the false value returned by parse_url would quietly be treated as a an array through type coercion leading to unexpected results. In PHP8 this triggers a deprecation exposing the bug.
86230fb
to
bce4c27
Compare
Fixed the test and that stray space that snuck in. Somehow the tests are worse... There's a ton of fatal errors and failures that seem unrelated so hoping something changed elsewhere... |
Thank you @neclimdul. |
… behaviors (GromNaN) This PR was squashed before being merged into the 7.0 branch. Discussion ---------- [HttpFoundation] Remove deprecated classes, method and behaviors | Q | A | ------------- | --- | Branch? | 7.0 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | n/a Clean `symfony/http-foundation` from all its legacy. - Remove `RequestMatcher` and `ExpressionRequestMatcher`, deprecated since #47595 - Remove `Request::getContentType()`, deprecated since #45034 - Throw a `UnexpectedValueException` or `BadRequestException` when `ParameterBag::filter()` or `InputBag::filter()` reads an invalid value and the flag `FILTER_NULL_ON_FAILURE` is not set. new behavior announced since #48525 - Throw a `InvalidArgumentException` when calling `Request::create()` with a malformed URI, deprecated since #49376 Commits ------- 665a775 [HttpFoundation] Remove deprecated classes, method and behaviors
… with a colon (akeylimepie) This PR was squashed before being merged into the 5.4 branch. Discussion ---------- [HttpKernel] [WebProfileBundle] Fix Routing panel for URLs with a colon | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | see below | License | MIT According to [docs](https://www.php.net/manual/en/function.parse-url.php) the `parse_url` function may not produce the expected result for **relative** URLs. In particular, the function produces incorrect results for a relative URL with a port-like string in any part, such as: ```php parse_url('/foo/bar:123/baz'); // false ``` But such a URL is valid. So if there is a controller with this route for it, Symfony will correctly match it: ```php <?php namespace App\Controller; use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Routing\Attribute\Route; class HelloController extends AbstractController { #[Route('/foo/bar:123/baz')] public function world() { return new Response(); } } ``` <img width="1208" alt="match" src="https://github.com/user-attachments/assets/e45fbf13-891e-4373-9e28-5068480e6877"> ---- ### Bug But in the profiler, opening the Routing panel will not work; instead of the panel, we see an exception: <img width="1208" alt="fail" src="https://github.com/user-attachments/assets/c101db2c-dc86-4c39-8598-ac9533bd3725"> This is because `Symfony\Bundle\WebProfilerBundle\Controller::getTraces` method creates a new `Request` from relative path info. And `Request::create` since 6.3 #49376 throws an exception if `parse_url` returns `false`, which is the case here: https://github.com/symfony/symfony/blob/6d6dd4a93abb2c4d724e0bdb3ab89a22dd3062ac/src/Symfony/Bundle/WebProfilerBundle/Controller/RouterController.php#L83 Prior to version 6.3, the routing panel is displayed, but there are no router matches on it. This is why version 5.4 is also affected. ---- ### Solution So instead of a relative path, I suggest using an absolute URI, which is handled by `parse_url` correctly: <img width="1208" alt="success" src="https://github.com/user-attachments/assets/99842b7f-da64-42d8-907f-7856ca7d1c3a"> Commits ------- 079c8df [HttpKernel] [WebProfileBundle] Fix Routing panel for URLs with a colon
Fixes: #47084
Passing an invalid URI to Request::create triggers an undefined code path. In PHP7 the false value returned by parse_url would quietly be treated as a an array through type coercion leading to unexpected results. In PHP8 this triggers a deprecation exposing the bug.