ZF-1798: Zend_Controller_Request_Http too liberal when retrieving parameter sources

Issue Type: Bug Created: 2007-08-01T13:16:13.000+0000 Last Updated: 2008-03-21T16:25:17.000+0000 Status: Resolved Fix version(s): - 1.5.0 (17/Mar/08)

Reporter: Ralph Schindler (ralph) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Controller

Related issues: Attachments:


_GET and _POST should not be consulted when retrieving request parameters in a front-controller, routed system.


I have a proposed fix:

<pre class="highlight">
In http request:
    protected $_paramSources = array('_GET', '_POST');
    public function setParamSources(Array $paramSources = array())
        $this->_paramSources = $paramSources;
        return $this;


    // changes to getParams getParam
    public function getParam($key, $default = null)
        $keyName = (null !== ($alias = $this->getAlias($key))) ? $alias : $key;

        if (isset($this->_params[$keyName])) {
            return $this->_params[$keyName];
        } elseif (in_array('_GET', $this->_paramSources) && (isset($_GET[$keyName]))) {
            return $_GET[$keyName];
        } elseif (in_array('_POST', $this->_paramSources) && (isset($_POST[$keyName]))) {
            return $_POST[$keyName];

        return $default;

    public function getParams()
        $return = $this->_params;
        if (isset($_GET) && is_array($_GET) && in_array('_GET', $this->_paramSources)) {
            $return += $_GET;
        if (isset($_POST) && is_array($_POST) && in_array('_POST', $this->_paramSources)) {
            $return += $_POST;
        return $return;

This also needs to be set as a FrontController parameter, since request creation happens at dispatch time.

But i think you know what to do.


Posted by Matthew Weier O'Phinney (matthew) on 2007-09-14T12:10:58.000+0000

The reason the request object pulls from $_GET and $_POST is so that if mod_rewrite (or a similar solution) is unavailable, requests may still be routed. Honoring your request would break this feature. Unless I can get a patch that addresses such a situation, I can't include this.

Posted by Ralph Schindler (ralph) on 2007-09-19T13:30:54.000+0000

Actually, its quite the opposite. It behaves as it does now by default, but you have the option to remove specific param sources if you opt to, as i do ;)

So basically, in the bootstrap, i should be able to set an option to remove Get & Post, and optionally, i can dig down in to the request object an specifically call $request->setParamSources(null);

This would not break BC, and, it is something I would suggest people do for security purposes.


Posted by Matthew Weier O'Phinney (matthew) on 2007-11-16T14:44:29.000+0000

Scheduling for 1.1.0

Posted by Matthew Weier O'Phinney (matthew) on 2008-02-20T22:27:51.000+0000

Committed to trunk.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.