Description
Affected version: 3.6.0 (possibly 4.1.0 as well)
When using ORM pagination and calling something like http://localhost/galery/page/2?direction[test]=1&sort=columnname, the direction parameter becomes an array. This will result in an array to string conversion error in the 3.6.0 QuerySubscriber. The 4.1.0 QuerySubscriber looks like it could be affected, too.
First, I thought about a quick is_string() check. But then I noticed that other places like the SlidingPagination in the KnpPaginatorBundle rely on the direction parameter to be a string, too. It seems that more than one class gets the value directly from the request. So my current idea is fixing the request with a kernel event subscriber like this draft:
final class SanitizeKnpPaginationParameters implements EventSubscriberInterface
{
public static function getSubscribedEvents(): array
{
return [
KernelEvents::REQUEST => ['onKernelRequest', 10],
];
}
public function onKernelRequest(RequestEvent $event): void
{
$direction = $event->getRequest()->query->get('direction');
if (null === $direction || \is_string($direction)) {
return;
}
$event->getRequest()->query->set('direction', 'desc');
}
}
What do you think? I'm not convinced this steamroller approach is an elegant solution.
I'd be happy to open a PR when we have a good notion on how to do it. (If so, could I target a 3.x branch or are PRs only accepted on the current major?)