[HttpFoundation] Deprecate passing invalid URI to Request::create #49376
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hey! Thanks for your PR. You are targeting branch "6.3" but it seems your PR description refers to branch "5.4". Cheers! Carsonbot |
|
Wasn't quite sure how the Changelog/Deprecation documentation was suppose to work so that is missing but should otherwise be good to go. |
stof
requested changes
Feb 14, 2023
ab9e844 to
86230fb
Compare
|
@stof Fixed the relevant fabbot changes. Didn't touch this code so maybe should be handled else where? |
Yes, that one you can ignore. But the |
|
Also, the failing tests appear to be related. |
|
the test failure is because you forogt to update the assertion in the test when fixing the text of the deprecation message. |
Fixes: symfony#47084 Passing an invalid URI to Request::create triggers an undefined code path. In PHP7 the false value returned by parse_url would quietly be treated as a an array through type coercion leading to unexpected results. In PHP8 this triggers a deprecation exposing the bug.
86230fb to
bce4c27
Compare
|
Fixed the test and that stray space that snuck in. Somehow the tests are worse... There's a ton of fatal errors and failures that seem unrelated so hoping something changed elsewhere... |
GromNaN
approved these changes
Mar 10, 2023
fabpot
approved these changes
Mar 13, 2023
|
Thank you @neclimdul. |
nicolas-grekas
added a commit
that referenced
this pull request
Jun 30, 2023
… behaviors (GromNaN) This PR was squashed before being merged into the 7.0 branch. Discussion ---------- [HttpFoundation] Remove deprecated classes, method and behaviors | Q | A | ------------- | --- | Branch? | 7.0 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | n/a Clean `symfony/http-foundation` from all its legacy. - Remove `RequestMatcher` and `ExpressionRequestMatcher`, deprecated since #47595 - Remove `Request::getContentType()`, deprecated since #45034 - Throw a `UnexpectedValueException` or `BadRequestException` when `ParameterBag::filter()` or `InputBag::filter()` reads an invalid value and the flag `FILTER_NULL_ON_FAILURE` is not set. new behavior announced since #48525 - Throw a `InvalidArgumentException` when calling `Request::create()` with a malformed URI, deprecated since #49376 Commits ------- 665a775 [HttpFoundation] Remove deprecated classes, method and behaviors
nicolas-grekas
added a commit
that referenced
this pull request
Aug 8, 2024
… with a colon (akeylimepie) This PR was squashed before being merged into the 5.4 branch. Discussion ---------- [HttpKernel] [WebProfileBundle] Fix Routing panel for URLs with a colon | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | see below | License | MIT According to [docs](https://www.php.net/manual/en/function.parse-url.php) the `parse_url` function may not produce the expected result for **relative** URLs. In particular, the function produces incorrect results for a relative URL with a port-like string in any part, such as: ```php parse_url('/foo/bar:123/baz'); // false ``` But such a URL is valid. So if there is a controller with this route for it, Symfony will correctly match it: ```php <?php namespace App\Controller; use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Routing\Attribute\Route; class HelloController extends AbstractController { #[Route('/foo/bar:123/baz')] public function world() { return new Response(); } } ``` <img width="1208" alt="match" src="https://github.com/user-attachments/assets/e45fbf13-891e-4373-9e28-5068480e6877"> ---- ### Bug But in the profiler, opening the Routing panel will not work; instead of the panel, we see an exception: <img width="1208" alt="fail" src="https://github.com/user-attachments/assets/c101db2c-dc86-4c39-8598-ac9533bd3725"> This is because `Symfony\Bundle\WebProfilerBundle\Controller::getTraces` method creates a new `Request` from relative path info. And `Request::create` since 6.3 #49376 throws an exception if `parse_url` returns `false`, which is the case here: https://github.com/symfony/symfony/blob/6d6dd4a93abb2c4d724e0bdb3ab89a22dd3062ac/src/Symfony/Bundle/WebProfilerBundle/Controller/RouterController.php#L83 Prior to version 6.3, the routing panel is displayed, but there are no router matches on it. This is why version 5.4 is also affected. ---- ### Solution So instead of a relative path, I suggest using an absolute URI, which is handled by `parse_url` correctly: <img width="1208" alt="success" src="https://github.com/user-attachments/assets/99842b7f-da64-42d8-907f-7856ca7d1c3a"> Commits ------- 079c8df [HttpKernel] [WebProfileBundle] Fix Routing panel for URLs with a colon
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #47084
Passing an invalid URI to Request::create triggers an undefined code path. In PHP7 the false value returned by parse_url would quietly be treated as a an array through type coercion leading to unexpected results. In PHP8 this triggers a deprecation exposing the bug.