Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

[HttpFoundation] Deprecate passing invalid URI to Request::create #49376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Conversation

neclimdul
Copy link
Contributor

@neclimdul neclimdul commented Feb 14, 2023

Fixes: #47084

Passing an invalid URI to Request::create triggers an undefined code path. In PHP7 the false value returned by parse_url would quietly be treated as a an array through type coercion leading to unexpected results. In PHP8 this triggers a deprecation exposing the bug.

Q A
Branch? 6.3
Bug fix? yes
New feature? no
Deprecations? yes
Tickets Fix #47084
License MIT

@carsonbot
Copy link

Hey!

Thanks for your PR. You are targeting branch "6.3" but it seems your PR description refers to branch "5.4".
Could you update the PR description or change target branch? This helps core maintainers a lot.

Cheers!

Carsonbot

@neclimdul
Copy link
Contributor Author

Wasn't quite sure how the Changelog/Deprecation documentation was suppose to work so that is missing but should otherwise be good to go.

Copy link
Member

@stof stof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also fix the coding standards as reported by fabbot.

src/Symfony/Component/HttpFoundation/Request.php Outdated Show resolved Hide resolved
@neclimdul neclimdul force-pushed the deprecate-invalid-request-uri-creation branch 2 times, most recently from ab9e844 to 86230fb Compare February 14, 2023 21:39
@neclimdul
Copy link
Contributor Author

@stof Fixed the relevant fabbot changes.

@@ -1463,6 +1463,7 @@
      * @param bool $asResource If true, a resource will be returned
      *
      * @return string|resource
+     *
      * @psalm-return ($asResource is true ? resource : string)
      */
     public function getContent(bool $asResource = false)

Didn't touch this code so maybe should be handled else where?

@derrabus
Copy link
Member

Didn't touch this code so maybe should be handled else where?

Yes, that one you can ignore. But the trigger_deprecation() line fabbot complains about is your code. 🙂

@derrabus
Copy link
Member

derrabus commented Feb 14, 2023

Also, the failing tests appear to be related.

@stof
Copy link
Member

stof commented Feb 15, 2023

the test failure is because you forogt to update the assertion in the test when fixing the text of the deprecation message.

Fixes: symfony#47084

Passing an invalid URI to Request::create triggers an undefined code
path. In PHP7 the false value returned by parse_url would quietly be
treated as a an array through type coercion leading to unexpected
results. In PHP8 this triggers a deprecation exposing the bug.
@neclimdul neclimdul force-pushed the deprecate-invalid-request-uri-creation branch from 86230fb to bce4c27 Compare February 15, 2023 16:34
@neclimdul
Copy link
Contributor Author

Fixed the test and that stray space that snuck in.

Somehow the tests are worse... There's a ton of fatal errors and failures that seem unrelated so hoping something changed elsewhere...

@fabpot
Copy link
Member

fabpot commented Mar 13, 2023

Thank you @neclimdul.

@fabpot fabpot merged commit cf55f2b into symfony:6.3 Mar 13, 2023
nicolas-grekas added a commit that referenced this pull request Jun 30, 2023
… behaviors (GromNaN)

This PR was squashed before being merged into the 7.0 branch.

Discussion
----------

[HttpFoundation] Remove deprecated classes, method and behaviors

| Q             | A
| ------------- | ---
| Branch?       | 7.0
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| Tickets       | -
| License       | MIT
| Doc PR        | n/a

Clean `symfony/http-foundation` from all its legacy.

- Remove `RequestMatcher` and `ExpressionRequestMatcher`,
  deprecated since #47595
- Remove `Request::getContentType()`,
  deprecated since #45034
- Throw a `UnexpectedValueException` or `BadRequestException` when `ParameterBag::filter()` or `InputBag::filter()` reads an invalid value and the flag `FILTER_NULL_ON_FAILURE` is not set.
  new behavior announced since #48525
- Throw a `InvalidArgumentException` when calling `Request::create()` with a malformed URI,
  deprecated since #49376

Commits
-------

665a775 [HttpFoundation] Remove deprecated classes, method and behaviors
nicolas-grekas added a commit that referenced this pull request Aug 8, 2024
… with a colon (akeylimepie)

This PR was squashed before being merged into the 5.4 branch.

Discussion
----------

[HttpKernel] [WebProfileBundle] Fix Routing panel for URLs with a colon

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | see below
| License       | MIT

According to [docs](https://www.php.net/manual/en/function.parse-url.php) the `parse_url` function may not produce the expected result for **relative** URLs. In particular, the function produces incorrect results for a relative URL with a port-like string in any part, such as:
```php
parse_url('/foo/bar:123/baz'); // false
```

But such a URL is valid. So if there is a controller with this route for it, Symfony will correctly match it:

```php
<?php

namespace App\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Attribute\Route;

class HelloController extends AbstractController
{
    #[Route('/foo/bar:123/baz')]
    public function world()
    {
        return new Response();
    }
}
```

<img width="1208" alt="match" src="https://github.com/user-attachments/assets/e45fbf13-891e-4373-9e28-5068480e6877">

----
### Bug

But in the profiler, opening the Routing panel will not work; instead of the panel, we see an exception:

<img width="1208" alt="fail" src="https://github.com/user-attachments/assets/c101db2c-dc86-4c39-8598-ac9533bd3725">

This is because `Symfony\Bundle\WebProfilerBundle\Controller::getTraces` method creates a new `Request` from relative path info. And `Request::create` since 6.3 #49376 throws an exception if `parse_url` returns `false`, which is the case here:

https://github.com/symfony/symfony/blob/6d6dd4a93abb2c4d724e0bdb3ab89a22dd3062ac/src/Symfony/Bundle/WebProfilerBundle/Controller/RouterController.php#L83

Prior to version 6.3, the routing panel is displayed, but there are no router matches on it. This is why version 5.4 is also affected.

----
### Solution

So instead of a relative path, I suggest using an absolute URI, which is handled by `parse_url` correctly:

<img width="1208" alt="success" src="https://github.com/user-attachments/assets/99842b7f-da64-42d8-907f-7856ca7d1c3a">

Commits
-------

079c8df [HttpKernel] [WebProfileBundle] Fix Routing panel for URLs with a colon
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Request::create can trigger deprecated array conversion in 8.1 with bad values
6 participants
Morty Proxy This is a proxified and sanitized view of the page, visit original site.