8000 [WIP] Explicitly disallowing serialization of objects as controller attributes... by unframework · Pull Request #8263 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[WIP] Explicitly disallowing serialization of objects as controller attributes... #8263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

[WIP] Explicitly disallowing serialization of objects as controller attributes... #8263

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bf8c2f8
Explicitly disallowing serialization of objects as controller attribu…
unframework Jun 12, 2013
a08d5a7
Updated tests to make sure that objects are not accepted as parameter…
unframework Jun 12, 2013
2cb0266
Style fix
unframework Jun 14, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Explicitly disallowing serialization of objects as controller attribu… 
…tes in non-inline fragment renderers
  • Loading branch information
@unframework
unframework committed Jun 12, 2013
commit bf8c2f8baea9ca6acccc0843c921e954d9dbc7a5
4 changes: 3 additions & 1 deletion src/Symfony/Component/HttpKernel/Fragment/InlineFragmentRenderer.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,14 +47,16 @@ public function render($uri, Request $request, array $options = array())
$reference = null;
if ($uri instanceof ControllerReference) {
$reference = $uri;
$uri = $this->generateFragmentUri($uri, $request);
$uri = $this->generateFragmentUri($uri, $request, false);
}

$subRequest = $this->createSubRequest($uri, $request);

// override Request attributes as they can be objects (which are not supported by the generated URI)
if (null !== $reference) {
$subRequest->attributes->add($reference->attributes);
$subRequest->attributes->set('_format', isset($reference->attributes['_format']) ? $reference->attributes['_format'] : $request->getRequestFormat());
$subRequest->attributes->set('_controller', $reference->controller);
}

$level = ob_get_level();
Expand Down
27 changes: 19 additions & 8 deletions src/Symfony/Component/HttpKernel/Fragment/RoutableFragmentRenderer.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,21 +39,32 @@ public function setFragmentPath($path)
/**
* Generates a fragment URI for a given controller.
*
* @param ControllerReference $reference A ControllerReference instance
* @param Request $request A Request instance
* @param ControllerReference $reference A ControllerReference instance
* @param Request $request A Request instance
* @param bool $includeAttributes whether to include reference attributes into the URI
*
* @return string A fragment URI
*/
protected function generateFragmentUri(ControllerReference $reference, Request $request)
protected function generateFragmentUri(ControllerReference $reference, Request $request, $includeAttributes = true)
{
if (!isset($reference->attributes['_format'])) {
$reference->attributes['_format'] = $request->getRequestFormat();
// work with copies of query and attributes data to leave the reference unchanged
$renderedAttributes = array(
'_format' => isset($reference->attributes['_format']) ? $reference->attributes['_format'] : $request->getRequestFormat(),
'_controller' => $reference->controller
);

if ($includeAttributes) {
$renderedAttributes = array_merge($reference->attributes, $renderedAttributes);
}

$reference->attributes['_controller'] = $reference->controller;
$renderedQuery = array_merge($reference->query, array('_path' => http_build_query($renderedAttributes, '', '&')));

$reference->query['_path'] = http_build_query($reference->attributes, '', '&');
// make sure that logic entities do not end up haphazardly serialized
parse_str($renderedQuery['_path'], $serializedAttributes);
if ($serializedAttributes != $renderedAttributes) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing line break. Also, make a strict comparison !==.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The non-strict comparison is necessary, because http_build_query does mangle integer attributes into being strings. This comparison is basically just a quick smell-check for any non-trivial object data.

I think this prompts a higher-level discussion: why not actually use PHP serialize + base64 encode for encoding controller params? Unlike regular query-string where the int -> string conversion is expected, I think that in this case we can encode int/boolean/string/stdClass (but no other objects) using native serialize to fully preserve scalar typing and make actual controller developer not worry about accidentally stringified values. For serialize() data I'd recommend using base64 instead of directly piping into urlencode() because it's a true binary blob.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For that matter, non-anonymous objects can then also be serialized as well - since the URLs are signed we don't need to worry too much about tampering

throw new \LogicException('controller attributes with objects are not supported');
}

return $request->getUriForPath($this->fragmentPath.'?'.http_build_query($reference->query, '', '&'));
return $request->getUriForPath($this->fragmentPath.'?'.http_build_query($renderedQuery, '', '&'));
}
}
0