From eb2eba17e3fe45eb07f57e77712f3d7e1964ff4c Mon Sep 17 00:00:00 2001
From: Tobias Schultze <webmaster@tubo-world.de>
Date: Sat, 25 Aug 2012 00:05:19 +0200
Subject: [PATCH] [Form] don't allow users to force exceptions by submitting
 unexpected data

this makes it more fault-tolerant by simply ignoring wrong stuff from hackers

[Form] added test to ensure binding of wrong data is ignored
---
 src/Symfony/Component/Form/Form.php           |  5 -----
 .../Component/Form/Tests/SimpleFormTest.php   | 19 +++++++++++++++++++
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/src/Symfony/Component/Form/Form.php b/src/Symfony/Component/Form/Form.php
index 89add737e7b67..292e3b60ecee4 100644
--- a/src/Symfony/Component/Form/Form.php
+++ b/src/Symfony/Component/Form/Form.php
@@ -13,7 +13,6 @@
 
 use Symfony\Component\Form\Exception\FormException;
 use Symfony\Component\Form\Exception\AlreadyBoundException;
-use Symfony\Component\Form\Exception\UnexpectedTypeException;
 use Symfony\Component\Form\Exception\TransformationFailedException;
 use Symfony\Component\Form\Util\FormUtil;
 use Symfony\Component\Form\Util\PropertyPath;
@@ -533,10 +532,6 @@ public function bind($submittedData)
         // (think of empty collection forms)
         if ($this->config->getCompound()) {
             if (!is_array($submittedData)) {
-                if (!FormUtil::isEmpty($submittedData)) {
-                    throw new UnexpectedTypeException($submittedData, 'array');
-                }
-
                 $submittedData = array();
             }
 
diff --git a/src/Symfony/Component/Form/Tests/SimpleFormTest.php b/src/Symfony/Component/Form/Tests/SimpleFormTest.php
index 286e5e53ef0af..3a590b7509af3 100644
--- a/src/Symfony/Component/Form/Tests/SimpleFormTest.php
+++ b/src/Symfony/Component/Form/Tests/SimpleFormTest.php
@@ -779,6 +779,25 @@ public function testSetDataCannotInvokeItself()
         $form->setData('foo');
     }
 
+    public function testBindingWrongDataIsIgnored()
+    {
+        $test = $this;
+
+        $child = $this->getBuilder('child', $this->dispatcher);
+        $child->addEventListener(FormEvents::PRE_BIND, function (FormEvent $event) use ($test) {
+            // child form doesn't receive the wrong data that is bound on parent
+            $test->assertNull($event->getData());
+        });
+
+        $parent = $this->getBuilder('parent', new EventDispatcher())
+            ->setCompound(true)
+            ->setDataMapper($this->getDataMapper())
+            ->add($child)
+            ->getForm();
+
+        $parent->bind('not-an-array');
+    }
+
     protected function createForm()
     {
         return $this->getBuilder()->getForm();