[Form] Don't submit absent forms even when they have false_values children#64334
Merged
nicolas-grekas merged 1 commit intoMay 23, 2026
symfony:8.1symfony/symfony:8.1from
hlecorche:fix-form-handle-missing-data-optionhlecorche/symfony:fix-form-handle-missing-data-optionCopy head branch name to clipboard
Merged
[Form] Don't submit absent forms even when they have false_values children#64334nicolas-grekas merged 1 commit intosymfony:8.1symfony/symfony:8.1from hlecorche:fix-form-handle-missing-data-optionhlecorche/symfony:fix-form-handle-missing-data-optionCopy head branch name to clipboard
nicolas-grekas merged 1 commit into
symfony:8.1symfony/symfony:8.1from
hlecorche:fix-form-handle-missing-data-optionhlecorche/symfony:fix-form-handle-missing-data-optionCopy head branch name to clipboard
Conversation
…ldren In 8.1, symfony#45081 made the request handlers call MissingDataHandler before checking whether the form was actually present in the request. For compound forms with false_values-aware children (expanded multiple ChoiceType, CheckboxType, ...), the handler synthesises values for the missing children, masking the "form absent" condition and causing the form to be submitted on any unrelated POST to the same endpoint. Move the early-return guard before MissingDataHandler::handle() so an absent form is never processed. Fixes symfony#64315.
handle_missing_data option to opt into MissingDataHandler for absent formsf512151 to
bf2d2ec
Compare
nicolas-grekas
approved these changes
May 23, 2026
Member
nicolas-grekas
left a comment
There was a problem hiding this comment.
Implementation updated, no need for an new option (the use case where only checkboxes are in the form doesn't need to be supported.)
Member
|
Thank you @hlecorche. |
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix a regression introduced in #45081 (8.1):
MissingDataHandlerwas called before the "form absent from request" guard, so for compound forms withfalse_values-aware children (expanded multipleChoiceType,CheckboxType, ...) the handler synthesised values for the missing children, masking the "form absent" condition and causing the form to be submitted on any unrelated POST to the same endpoint.The fix moves the early-return guard before
MissingDataHandler::handle()in both the GET and request-body branches ofHttpFoundationRequestHandlerandNativeRequestHandler, so an entirely absent form is never processed. The legitimatefalse_valuessynthesis for missing children of a submitted form (e.g. all-unchecked checkboxes inside a form whose key is in the request body) is preserved.