ZF-1798: Zend_Controller_Request_Http too liberal when retrieving parameter sources

Issue Type:
Bug
Created:
2007-08-01T13:16:13.000+0000
Last Updated:
2008-03-21T16:25:17.000+0000
Status:
Resolved
Fix version(s):
  • 1.5.0 (17/Mar/08)
Reporter:
Ralph Schindler (ralph)
Assignee:
Matthew Weier O'Phinney (matthew)
Tags:
  • Zend_Controller
Related issues:
Attachments:

Description

_GET and _POST should not be consulted when retrieving request parameters in a front-controller, routed system.

@see http://nabble.com/Params-and-Post-vars-tf4075463.h…

I have a proposed fix:


In http request:
    protected $_paramSources = array('_GET', '_POST');
    
    public function setParamSources(Array $paramSources = array())
    {
        $this->_paramSources = $paramSources;
        return $this;
    }

    ... 

    // changes to getParams getParam
    public function getParam($key, $default = null)
    {
        $keyName = (null !== ($alias = $this->getAlias($key))) ? $alias : $key;

        if (isset($this->_params[$keyName])) {
            return $this->_params[$keyName];
        } elseif (in_array('_GET', $this->_paramSources) && (isset($_GET[$keyName]))) {
            return $_GET[$keyName];
        } elseif (in_array('_POST', $this->_paramSources) && (isset($_POST[$keyName]))) {
            return $_POST[$keyName];
        }

        return $default;
    }

    public function getParams()
    {
        $return = $this->_params;
        if (isset($_GET) && is_array($_GET) && in_array('_GET', $this->_paramSources)) {
            $return += $_GET;
        }
        if (isset($_POST) && is_array($_POST) && in_array('_POST', $this->_paramSources)) {
            $return += $_POST;
        }
        return $return;
    }

This also needs to be set as a FrontController parameter, since request creation happens at dispatch time.

But i think you know what to do.

Comments

Posted by Matthew Weier O'Phinney (matthew) on 2007-09-14T12:10:58.000+0000

The reason the request object pulls from $_GET and $_POST is so that if mod_rewrite (or a similar solution) is unavailable, requests may still be routed. Honoring your request would break this feature. Unless I can get a patch that addresses such a situation, I can't include this.

Posted by Ralph Schindler (ralph) on 2007-09-19T13:30:54.000+0000

Actually, its quite the opposite. It behaves as it does now by default, but you have the option to remove specific param sources if you opt to, as i do ;)

So basically, in the bootstrap, i should be able to set an option to remove Get & Post, and optionally, i can dig down in to the request object an specifically call $request->setParamSources(null);

This would not break BC, and, it is something I would suggest people do for security purposes.

-ralph

Posted by Matthew Weier O'Phinney (matthew) on 2007-11-16T14:44:29.000+0000

Scheduling for 1.1.0

Posted by Matthew Weier O'Phinney (matthew) on 2008-02-20T22:27:51.000+0000

Committed to trunk.