ZF-1798: Zend_Controller_Request_Http too liberal when retrieving parameter sources


_GET and _POST should not be consulted when retrieving request parameters in a front-controller, routed system.


I have a proposed fix:

In http request:
    protected $_paramSources = array('_GET', '_POST');
    public function setParamSources(Array $paramSources = array())
        $this->_paramSources = $paramSources;
        return $this;


    // changes to getParams getParam
    public function getParam($key, $default = null)
        $keyName = (null !== ($alias = $this->getAlias($key))) ? $alias : $key;

        if (isset($this->_params[$keyName])) {
            return $this->_params[$keyName];
        } elseif (in_array('_GET', $this->_paramSources) && (isset($_GET[$keyName]))) {
            return $_GET[$keyName];
        } elseif (in_array('_POST', $this->_paramSources) && (isset($_POST[$keyName]))) {
            return $_POST[$keyName];

        return $default;

    public function getParams()
        $return = $this->_params;
        if (isset($_GET) && is_array($_GET) && in_array('_GET', $this->_paramSources)) {
            $return += $_GET;
        if (isset($_POST) && is_array($_POST) && in_array('_POST', $this->_paramSources)) {
            $return += $_POST;
        return $return;

This also needs to be set as a FrontController parameter, since request creation happens at dispatch time.

But i think you know what to do.


The reason the request object pulls from $_GET and $_POST is so that if mod_rewrite (or a similar solution) is unavailable, requests may still be routed. Honoring your request would break this feature. Unless I can get a patch that addresses such a situation, I can't include this.

Actually, its quite the opposite. It behaves as it does now by default, but you have the option to remove specific param sources if you opt to, as i do ;)

So basically, in the bootstrap, i should be able to set an option to remove Get & Post, and optionally, i can dig down in to the request object an specifically call $request->setParamSources(null);

This would not break BC, and, it is something I would suggest people do for security purposes.


Scheduling for 1.1.0

Committed to trunk.