New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scalar fixes #9744
Scalar fixes #9744
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, could just use some unit tests on the public method for integers, bools, etc
If the functionality of ClassInfo::hasMethod() is broader than the docblock, and those extra uses are known in the wild, then it might be more honest to update the docblock go bless that extra case. Otherwise someone might break it in the future. |
It feels like there's a deeper issue here, though: why was the result of ping ending up in a method-exists check? That feels like there's an unguarded method execution that could potentially be tied to user input (ie security flaw) in there. It would be good to explore that. |
@sminnee It doesn't look like a security thing, this is where the call to the If we wanted to make it 'more nicer', then probably change the ping method to return a |
Right. We can probably add an is_object check to that screen cap'd ClassInfo::methodExists call. If a class name ends up in the response it would be erroneous to check it for a method. |
Returning a string '1' would also be nicer than the integer its currently returning, but you're right that returning an HTTPResponse object would be clearer in intent. |
PR to update I'm not sure that |
This resolves an issue where method_exists() was being called on scalar response values, which is not supported in PHP 8.
b020a2d
to
c8ea6d9
Compare
I've added some unit tests for the |
This method should typehint the incoming value once union types are available, but for now this ensures that method_exists() is not called on scalar values, which is unsupported in PHP 8.
c8ea6d9
to
e89ae93
Compare
PHP 8 limits
method_exists()
to accepting strings and objects, which was in particular impacting the/Security/ping
endpoint (which returns an integer.)I've included two changes:
Controller::prepareResponse()
that handles scalar values directly, rather than passing them through checks only relevant to objectsClassInfo::hasMethod()
that will enforce afalse
outcome if the provided value isn't a valid argument formethod_exists()
. I initially considered putting the same blanketis_scalar()
check in place here, but that changes the behaviour when passing in FQCNs, which may be relied upon (despite the docblock clearly calling for an object.)