-
Notifications
You must be signed in to change notification settings - Fork 11k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request 'request' parameter bag contains query parameters on GET requests #22805
Comments
4.2 isn't supported anymore, sorry. |
@themsaid Sorry, this affects all Laravel versions since 4.2 including the latest releases. Sorry if I wasn't clear in my initial issue. I've updated my comment. |
The bug still exists in version 8.33. |
taylorotwell
pushed a commit
that referenced
this issue
Aug 9, 2021
…quired (#37921) * Manually populate POST request body with JSON data only when required This fixes a 6 year old bug introduced in #7026 where GET requests would have GET data populated in the POST body property leading to issues around Request::post() and $request->getParsedBody() returning GET values when called on GET requests. This is a resubmit of #17087 & #36708, and fixes #22805. Credit to @dan-har for the initial solution and @mixlion for updating it for >=6.x. The original PR was meant to support POST requests where their Content-type was set to application/json (instead of the typical application/x-www-form-urlencoded), but it introduced a subtle and dangerous bug because while $request->getInputSource() does return the JSON data for JSON requests, it also returns the GET data for GET requests. This commit solves the underlying issue without breaking compatibility with the original functionality. * Add test for non-JSON GET requests * Style fixes * Extra space removal * GitHub's editor needs some work
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description:
Within
createFromBase
the request parameter bag is set to the result ofgetInputSource
. This can be POST form data, JSON request data or query parameters from a GET request. This behaviour dates way back and was introduced in #7052. It looks like the main goal of that PR was designed to make sure$request->request
was filled with JSON data from the request.But surely query parameters should never end up in the
$request->request
bag. The documentation on the base Symfony Request class is:I'm less clear about whether GET requests with JSON payloads should end up in the
$request->request
bag? My feeling is they probably shouldn't, but the PR above (#7052) was made to enable such functionality.I discovered this because I had some code designed for the base Symfony request that assumed data coming out of $request->request must have been received via a POST request (and so would be csrf protected). Yes, I should explicitly check the request type and now do. But I was certainly surprised to find query parameters in that bag.
Steps To Reproduce:
Within a GET request with query parameters,
dd($request->request->all());
The text was updated successfully, but these errors were encountered: