Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[HttpFoundation] disabled Request _method feature by default (should …
…now be explicitely enabled via a call to enableHttpMethodOverride())
- Loading branch information
Showing
4 changed files
with
74 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -32,6 +32,8 @@ class Request | |
{ | ||
protected static $trustProxy = false; | ||
|
||
protected static $httpMethodParameterOverride = false; | ||
|
||
/** | ||
* @var \Symfony\Component\HttpFoundation\ParameterBag | ||
* | ||
|
@@ -503,6 +505,19 @@ public static function normalizeQueryString($qs) | |
return implode('&', $parts); | ||
} | ||
|
||
/** | ||
* Enables support for the _method request parameter to determine the intended HTTP method. | ||
* | ||
* Be warned that enabling this feature might lead to CSRF issues in your code. | ||
* Check that you are using CSRF tokens when required. | ||
* | ||
* The HTTP method can only be overriden when the real HTTP method is POST. | ||
*/ | ||
public static function enableHttpMethodParameterOverride() | ||
{ | ||
self::$httpMethodParameterOverride = true; | ||
} | ||
|
||
/** | ||
* Gets a "parameter" value. | ||
* | ||
|
@@ -915,26 +930,51 @@ public function setMethod($method) | |
} | ||
|
||
/** | ||
* Gets the request method. | ||
* Gets the request "intended" method. | ||
* | ||
* If the X-HTTP-Method-Override header is set, and if the method is a POST, | ||
* then it is used to determine the "real" intended HTTP method. | ||
* | ||
* The _method request parameter can also be used to determine the HTTP method, | ||
* but only if enableHttpMethodParameterOverride() has been called. | ||
* | ||
* The method is always an uppercased string. | ||
* | ||
* @return string The request method | ||
* | ||
* @api | ||
* | ||
* @see getRealMethod | ||
*/ | ||
public function getMethod() | ||
{ | ||
if (null === $this->method) { | ||
$this->method = strtoupper($this->server->get('REQUEST_METHOD', 'GET')); | ||
|
||
if ('POST' === $this->method) { | ||
$this->method = strtoupper($this->headers->get('X-HTTP-METHOD-OVERRIDE', $this->request->get('_method', $this->query->get('_method', 'POST')))); | ||
if ($method = $this->headers->get('X-HTTP-METHOD-OVERRIDE')) { | ||
$this->method = strtoupper($method); | ||
} elseif (self::$httpMethodParameterOverride) { | ||
$this->method = strtoupper($this->request->get('_method', $this->query->get('_method', 'POST'))); | ||
} | ||
} | ||
} | ||
|
||
return $this->method; | ||
} | ||
|
||
/** | ||
* Gets the "real" request method. | ||
* | ||
* @return string The request method | ||
* | ||
* @see getMethod | ||
*/ | ||
public function getRealMethod() | ||
{ | ||
return $this->server->get('REQUEST_METHOD', 'GET'); | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
alvarezmario
Contributor
|
||
} | ||
|
||
/** | ||
* Gets the mime type associated with the format. | ||
* | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
should probably be
strtoupper($this->server->get('REQUEST_METHOD', 'GET'));