Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request 'request' parameter bag contains query parameters on GET requests #22805

Closed
andyvenus opened this issue Jan 15, 2018 · 3 comments
Closed

Request 'request' parameter bag contains query parameters on GET requests #22805

andyvenus opened this issue Jan 15, 2018 · 3 comments

Comments

@andyvenus
Copy link
Contributor

andyvenus commented Jan 15, 2018
edited
Loading

  • Laravel Version: Since 4.2, still affects the latest version
  • PHP Version: n/a
  • Database Driver & Version: n/a

Description:

Within createFromBase the request parameter bag is set to the result of getInputSource. This can be POST form data, JSON request data or query parameters from a GET request. This behaviour dates way back and was introduced in #7052. It looks like the main goal of that PR was designed to make sure $request->request was filled with JSON data from the request.

But surely query parameters should never end up in the $request->request bag. The documentation on the base Symfony Request class is:

/**
* Request body parameters ($_POST).
*
* @var \Symfony\Component\HttpFoundation\ParameterBag
*/
public $request;

I'm less clear about whether GET requests with JSON payloads should end up in the $request->request bag? My feeling is they probably shouldn't, but the PR above (#7052) was made to enable such functionality.

I discovered this because I had some code designed for the base Symfony request that assumed data coming out of $request->request must have been received via a POST request (and so would be csrf protected). Yes, I should explicitly check the request type and now do. But I was certainly surprised to find query parameters in that bag.

Steps To Reproduce:

Within a GET request with query parameters, dd($request->request->all());
@themsaid
Copy link
Member

4.2 isn't supported anymore, sorry.

@andyvenus
Copy link
Contributor Author

andyvenus commented Jan 29, 2018
edited
Loading

@themsaid Sorry, this affects all Laravel versions since 4.2 including the latest releases. Sorry if I wasn't clear in my initial issue.

I've updated my comment.

@mixlion
Copy link

mixlion commented Mar 19, 2021
edited
Loading

The bug still exists in version 8.33.
Also due to this bug, PSR requests created in RoutingServiceProvider return GET parameters with the getParsedBody method.

@mixlion mixlion mentioned this issue Mar 23, 2021
Closed
@LukeTowers LukeTowers mentioned this issue Jul 5, 2021
Merged
taylorotwell pushed a commit that referenced this issue Aug 9, 2021
@LukeTowers
[9.x] Manually populate POST request body with JSON data only when re…
13e4a7f 
…quired (#37921)

* Manually populate POST request body with JSON data only when required

This fixes a 6 year old bug introduced in #7026 where GET requests would have GET data populated in the POST body property leading to issues around Request::post() and $request->getParsedBody() returning GET values when called on GET requests.

This is a resubmit of #17087 & #36708, and fixes #22805. Credit to @dan-har for the initial solution and @mixlion for updating it for >=6.x.

The original PR was meant to support POST requests where their Content-type was set to application/json (instead of the typical application/x-www-form-urlencoded), but it introduced a subtle and dangerous bug because while $request->getInputSource() does return the JSON data for JSON requests, it also returns the GET data for GET requests. This commit solves the underlying issue without breaking compatibility with the original functionality.

* Add test for non-JSON GET requests

* Style fixes

* Extra space removal

* GitHub's editor needs some work
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mixlion @themsaid @andyvenus