🌐 AI搜索 & 代理 主页
Skip to content

[HttpFoundation] drop support for HTTP method override for GET, HEAD, CONNECT and TRACE requests #62042

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicolas-grekas merged 1 commit into from
Oct 12, 2025
Merged

[HttpFoundation] drop support for HTTP method override for GET, HEAD, CONNECT and TRACE requests #62042

nicolas-grekas merged 1 commit into from
Oct 12, 2025

Conversation

@xabbuh
Copy link
Member

@xabbuh xabbuh commented Oct 11, 2025

Q A
Branch? 8.0
Bug fix? no
New feature? yes
Deprecations? no
Issues
License MIT

@carsonbot carsonbot added this to the 8.0 milestone Oct 11, 2025
xabbuh
xabbuh commented Oct 11, 2025
View reviewed changes
src/Symfony/Component/HttpFoundation/Request.php

$method = strtoupper($method);

if (\in_array($method, ['GET', 'HEAD', 'CONNECT', 'TRACE'], true)) {
Copy link
Member Author

@xabbuh xabbuh Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should forbid (in 7.4) listing any of these methods in $allowedHttpMethodOverride

Copy link
Member

@nicolas-grekas nicolas-grekas Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And return a 400?
I wondered the same and thought: what for in the end?

Copy link
Member Author

@xabbuh xabbuh Oct 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking of throwing an exception if setAllowedHttpMethodOverride() is called with a list of methods of which one or more are matching this list.

Copy link
Member

@nicolas-grekas nicolas-grekas Oct 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, yes, that'd work for me, to spot misconfigs earlier

Copy link
Member Author

@xabbuh xabbuh Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see #62065

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Oct 12, 2025

Thank you @xabbuh.

@nicolas-grekas nicolas-grekas merged commit b6d7b24 into symfony:8.0 Oct 12, 2025
9 of 10 checks passed
@nicolas-grekas nicolas-grekas mentioned this pull request Oct 12, 2025
Open
@xabbuh xabbuh deleted the pr-61949 branch October 12, 2025 09:58
@xabbuh xabbuh mentioned this pull request Oct 14, 2025
Merged
nicolas-grekas added a commit that referenced this pull request Oct 14, 2025
@nicolas-grekas
minor #62065 [FrameworkBundle][HttpFoundation] forbid HTTP method ove…
905f61c 
…rride of GET, HEAD, CONNECT and TRACE (xabbuh)

This PR was merged into the 7.4 branch.

Discussion
----------

[FrameworkBundle][HttpFoundation] forbid HTTP method override of GET, HEAD, CONNECT and TRACE

| Q             | A
| ------------- | ---
| Branch?       | 7.4
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| Issues        | see #62042 (comment)
| License       | MIT

Commits
-------

1b79380 forbid HTTP method override of GET, HEAD, CONNECT and TRACE
@fabpot fabpot mentioned this pull request Oct 27, 2025
Merged
@mindaugasw mindaugasw mentioned this pull request Nov 29, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas left review comments

Assignees

No one assigned

Labels

Feature HttpFoundation Status: Needs Review

Projects

None yet

Milestone

8.0

Development

Successfully merging this pull request may close these issues.

3 participants

@xabbuh @nicolas-grekas @carsonbot