Skip to content

Commit 746f8d3

Browse files
nicolas-grekasnicolas-grekas
committed
security #cve-2019-10913 [HttpFoundation] reject invalid method override (nicolas-grekas)
This PR was merged into the 2.8 branch. Discussion ---------- [HttpFoundation] reject invalid method override Based on #86 Commits ------- d7dcedbf1d [HttpFoundation] reject invalid method override
1 parent d0ab719 commit 746f8d3

File tree

1 file changed

+29
-14
lines changed

1 file changed

+29
-14
lines changed

Request.php

Lines changed: 29 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1269,22 +1269,37 @@ public function setMethod($method)
12691269
*/
12701270
public function getMethod()
12711271
{
1272-
if (null === $this->method) {
1273-
$this->method = strtoupper($this->server->get('REQUEST_METHOD', 'GET'));
1274-
1275-
if ('POST' === $this->method) {
1276-
if ($method = $this->headers->get('X-HTTP-METHOD-OVERRIDE')) {
1277-
$this->method = strtoupper($method);
1278-
} elseif (self::$httpMethodParameterOverride) {
1279-
$method = $this->request->get('_method', $this->query->get('_method', 'POST'));
1280-
if (\is_string($method)) {
1281-
$this->method = strtoupper($method);
1282-
}
1283-
}
1284-
}
1272+
if (null !== $this->method) {
1273+
return $this->method;
1274+
}
1275+
1276+
$this->method = strtoupper($this->server->get('REQUEST_METHOD', 'GET'));
1277+
1278+
if ('POST' !== $this->method) {
1279+
return $this->method;
1280+
}
1281+
1282+
$method = $this->headers->get('X-HTTP-METHOD-OVERRIDE');
1283+
1284+
if (!$method && self::$httpMethodParameterOverride) {
1285+
$method = $this->request->get('_method', $this->query->get('_method', 'POST'));
1286+
}
1287+
1288+
if (!\is_string($method)) {
1289+
return $this->method;
1290+
}
1291+
1292+
$method = strtoupper($method);
1293+
1294+
if (\in_array($method, array('GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'PATCH', 'PURGE', 'TRACE'), true)) {
1295+
return $this->method = $method;
1296+
}
1297+
1298+
if (!preg_match('/^[A-Z]++$/D', $method)) {
1299+
throw new \UnexpectedValueException(sprintf('Invalid method override "%s".', $method));
12851300
}
12861301

1287-
return $this->method;
1302+
return $this->method = $method;
12881303
}
12891304

12901305
/**

0 commit comments

Comments
 (0)