Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Input value "_method" contains a non-scalar value. #48871

Closed
tobz-nz opened this issue Nov 1, 2023 · 5 comments
Closed

Input value "_method" contains a non-scalar value. #48871

tobz-nz opened this issue Nov 1, 2023 · 5 comments
Labels
help wanted

Comments

@tobz-nz
Copy link
Contributor

tobz-nz commented Nov 1, 2023

Laravel Version

10.29.0

PHP Version

8.2.2

Database Driver & Version

No response

Description

One of my sites has been getting attacked today and one of the things they did is posted _method as an array to a form endpoint. Which throws an error(stack trace removed for security): https://flareapp.io/share/DPyKdV65

This is the relevant line:

// vendor/symfony/http-foundation/Request.php
1213     if (!$method && self::$httpMethodParameterOverride) {
1214            $method = $this->request->get('_method', $this->query->get('_method', 'POST'));
1215     }

Steps To Reproduce

In a new Laravel install (with Pest) make a test like:

it('validates _method', function () {
    $this->post('/', ['_method' => ['invalid']])
        ->assertInvalid('_method');
});
@crynobone
Copy link
Member

It seems that the issue also exist in Symfony HTTP Foundation, might worth it to report the issue there.

@mbabker
Copy link
Contributor

mbabker commented Nov 1, 2023

This is not a Symfony bug, but the API design decision.

Symfony\Component\HttpFoundation\InputBag was introduced for exactly this type of scenario (an array being stuffed into an input where a single value is expected), with its get() method only being allowed to return scalar values. Symfony is behaving as intended and explicitly forbidding an array value for the _method field in the input, throwing a Symfony\Component\HttpFoundation\Exception\BadRequestException (which should give the client a 400 response).

@driesvints
Copy link
Member

Thanks @mbabker. Seems things work as expected here then. We'd appreciate a PR to avoid logging this specific exception!

@driesvints driesvints added help wanted and removed bug labels Nov 2, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 2, 2023

Thank you for reporting this issue!

As Laravel is an open source project, we rely on the community to help us diagnose and fix issues as it is not possible to research and fix every issue reported to us via GitHub.

If possible, please make a pull request fixing the issue you have described, along with corresponding tests. All pull requests are promptly reviewed by the Laravel team.

Thank you!

@driesvints
Copy link
Member

We'd still appreciate a PR for this one, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@crynobone @mbabker @tobz-nz @driesvints