Be warned that enabling this feature might lead to CSRF issues in your code.
Check that you are using CSRF tokens when required.
If the HTTP method parameter override is enabled, an html-form with method "POST" can be altered
and used to send a "PUT" or "DELETE" request via the _method request parameter.
If these methods are not protected against CSRF, this presents a possible vulnerability.
The HTTP method can only be overridden when the real HTTP method is POST.
| public static enableHttpMethodParameterOverride ( ) |
public function boot()
{
if ($trustedProxies = $this->container->getParameter('kernel.trusted_proxies')) {
Request::setTrustedProxies($trustedProxies);
}
if ($this->container->getParameter('kernel.http_method_override')) {
Request::enableHttpMethodParameterOverride();
}
}
public function boot()
{
ErrorHandler::register(null, false)->throwAt($this->container->getParameter('debug.error_handler.throw_at'), true);
if ($trustedProxies = $this->container->getParameter('kernel.trusted_proxies')) {
Request::setTrustedProxies($trustedProxies);
}
if ($this->container->getParameter('kernel.http_method_override')) {
Request::enableHttpMethodParameterOverride();
}
if ($trustedHosts = $this->container->getParameter('kernel.trusted_hosts')) {
Request::setTrustedHosts($trustedHosts);
}
}
/**
* 每个testXXX执行之前,都会执行此函数,净化数据库。
*
* NOTE: 如果数据库已创建,那么执行清表操作,不重建。
*/
private function setServiceKernel()
{
$kernel = new \AppKernel('test', false);
$kernel->loadClassCache();
$kernel->boot();
Request::enableHttpMethodParameterOverride();
$request = Request::createFromGlobals();
$serviceKernel = ServiceKernel::create($kernel->getEnvironment(), $kernel->isDebug());
$serviceKernel->setParameterBag($kernel->getContainer()->getParameterBag());
$serviceKernel->setConnection($kernel->getContainer()->get('database_connection'));
$currentUser = new CurrentUser();
$currentUser->fromArray(array('id' => 1, 'nickname' => 'admin', 'email' => '*****@*****.**', 'password' => 'admin', 'currentIp' => '127.0.0.1', 'roles' => array('ROLE_USER', 'ROLE_ADMIN', 'ROLE_SUPER_ADMIN', 'ROLE_TEACHER')));
$serviceKernel->setCurrentUser($currentUser);
$this->serviceKernel = $serviceKernel;
}
public function __construct()
{
parent::__construct();
/* Symfony HttpFoundation Request object */
// http://symfony.com/doc/current/components/http_foundation/introduction.html#accessing-request-data
$this['request'] = $this->share(function () {
Request::enableHttpMethodParameterOverride();
return Request::createFromGlobals();
});
if (file_exists(APP_ROOT . '/app/config/beatrix/settings.php') === false) {
exit("Application is not installed correctly. Error: Could not locate setting.php file.");
}
$defaultSettings = ['name' => 'Beatrix', 'cache.interface' => 'none', 'cache.routes' => false, 'cache' => false, 'env' => 'prod'];
require APP_ROOT . '/app/config/beatrix/settings.php';
$this->settings = array_merge($defaultSettings, $this->settings);
$this->settings['factory'] = $this['cache']->file('BeatrixFactory', APP_ROOT . '/app/config/beatrix/factoryDefinitions.yml', 'yml', $this->settings['cache']);
$this->settings['DIC'] = $this->settings['factory'];
// BC, Old factory definitions used DIC.
if (isset($this->settings['timezone'])) {
date_default_timezone_set($this->settings['timezone']);
}
if ($this->setting('env') === 'prod') {
if (file_exists(APP_ROOT . '/app/config/beatrix/prodAutoexecute.php')) {
try {
require APP_ROOT . '/app/config/beatrix/prodAutoexecute.php';
} catch (\Exception $e) {
$this['logger']->warning('Catchable error in /app/config/beatrix/prodAutoexecute.php');
}
}
}
if ($this->setting('env') === 'dev') {
if (file_exists(APP_ROOT . '/app/config/beatrix/devAutoexecute.php')) {
try {
require APP_ROOT . '/app/config/beatrix/devAutoexecute.php';
} catch (\Exception $e) {
$this['logger']->warning('Catchable error in /app/config/beatrix/devAutoexecute.php');
}
}
}
error_reporting(E_ALL);
}
/**
* {@inheritdoc}
*/
public function handle(Request $request, $type = self::MASTER_REQUEST, $catch = true)
{
$this->app['request'] = $request;
$request->enableHttpMethodParameterOverride();
$this->bootstrap();
try {
$response = $this->handleRaw($request);
} catch (\Exception $e) {
if ($e instanceof ConflictingHeadersException) {
$e = new BadRequestHttpException('The request headers contain conflicting information regarding the origin of this request.', $e);
}
if (false === $catch) {
$this->finishRequest($request, $type);
throw $e;
}
return $this->handleException($e, $request, $type);
}
if (!$response instanceof Response) {
return new Response($response);
}
return $response;
}
<?php
use Symfony\Component\ClassLoader\ApcClassLoader;
use Symfony\Component\HttpFoundation\Request;
$loader = (require_once __DIR__ . '/../app/bootstrap.php.cache');
// Use APC for autoloading to improve performance.
// Change 'sf2' to a unique prefix in order to prevent cache key conflicts
// with other applications also using APC.
$apcLoader = new ApcClassLoader('sf2', $loader);
$loader->unregister();
$apcLoader->register(true);
require_once __DIR__ . '/../app/AppKernel.php';
require_once __DIR__ . '/../app/AppCache.php';
$kernel = new AppKernel('prod', false);
$kernel->loadClassCache();
$kernel = new AppCache($kernel);
// When using the HttpCache, you need to call the method in your front controller instead of relying on the configuration parameter
Request::enableHttpMethodParameterOverride();
$request = Request::createFromGlobals();
$response = $kernel->handle($request);
$response->send();
$kernel->terminate($request, $response);
/**
* @dataProvider provideOverloadedMethods
*/
public function testCreateFromGlobals($method)
{
$normalizedMethod = strtoupper($method);
$_GET['foo1'] = 'bar1';
$_POST['foo2'] = 'bar2';
$_COOKIE['foo3'] = 'bar3';
$_FILES['foo4'] = array('bar4');
$_SERVER['foo5'] = 'bar5';
$request = Request::createFromGlobals();
$this->assertEquals('bar1', $request->query->get('foo1'), '::fromGlobals() uses values from $_GET');
$this->assertEquals('bar2', $request->request->get('foo2'), '::fromGlobals() uses values from $_POST');
$this->assertEquals('bar3', $request->cookies->get('foo3'), '::fromGlobals() uses values from $_COOKIE');
$this->assertEquals(array('bar4'), $request->files->get('foo4'), '::fromGlobals() uses values from $_FILES');
$this->assertEquals('bar5', $request->server->get('foo5'), '::fromGlobals() uses values from $_SERVER');
unset($_GET['foo1'], $_POST['foo2'], $_COOKIE['foo3'], $_FILES['foo4'], $_SERVER['foo5']);
$_SERVER['REQUEST_METHOD'] = $method;
$_SERVER['CONTENT_TYPE'] = 'application/x-www-form-urlencoded';
$request = RequestContentProxy::createFromGlobals();
$this->assertEquals($normalizedMethod, $request->getMethod());
$this->assertEquals('mycontent', $request->request->get('content'));
unset($_SERVER['REQUEST_METHOD'], $_SERVER['CONTENT_TYPE']);
Request::createFromGlobals();
Request::enableHttpMethodParameterOverride();
$_POST['_method'] = $method;
$_POST['foo6'] = 'bar6';
$_SERVER['REQUEST_METHOD'] = 'PoSt';
$request = Request::createFromGlobals();
$this->assertEquals($normalizedMethod, $request->getMethod());
$this->assertEquals('POST', $request->getRealMethod());
$this->assertEquals('bar6', $request->request->get('foo6'));
unset($_POST['_method'], $_POST['foo6'], $_SERVER['REQUEST_METHOD']);
$this->disableHttpMethodParameterOverride();
}
public function initialize()
{
// init locale
$this->initLocale();
// init session
$this->initSession();
// init twig
$this->initRendering();
// init provider
$this->register(new \Silex\Provider\HttpFragmentServiceProvider());
$this->register(new \Silex\Provider\UrlGeneratorServiceProvider());
$this->register(new \Silex\Provider\FormServiceProvider());
$this->register(new \Silex\Provider\SerializerServiceProvider());
$this->register(new \Eccube\ServiceProvider\ValidatorServiceProvider());
$app = $this;
$this->error(function (\Exception $e, $code) use($app) {
if ($app['debug']) {
return;
}
switch ($code) {
case 403:
$title = 'アクセスできません。';
$message = 'お探しのページはアクセスができない状況にあるか、移動もしくは削除された可能性があります。';
break;
case 404:
$title = 'ページがみつかりません。';
$message = 'URLに間違いがないかご確認ください。';
break;
default:
$title = 'システムエラーが発生しました。';
$message = '大変お手数ですが、サイト管理者までご連絡ください。';
break;
}
return $app['twig']->render('error.twig', array('error_title' => $title, 'error_message' => $message));
});
// init mailer
$this->initMailer();
// init doctrine orm
$this->initDoctrine();
// init security
$this->initSecurity();
// init ec-cube service provider
$this->register(new ServiceProvider\EccubeServiceProvider());
// mount controllers
$this->register(new \Silex\Provider\ServiceControllerServiceProvider());
$this->mount('', new ControllerProvider\FrontControllerProvider());
$this->mount('/' . trim($this['config']['admin_route'], '/') . '/', new ControllerProvider\AdminControllerProvider());
Request::enableHttpMethodParameterOverride();
// PUTやDELETEできるようにする
}
public function deleteAction($id)
{
Request::enableHttpMethodParameterOverride();
// <-- add this line
return parent::deleteAction($id);
}
public function initialize()
{
if ($this->initialized) {
return;
}
// init locale
$this->initLocale();
// init session
if (!$this->isSessionStarted()) {
$this->initSession();
}
// init twig
$this->initRendering();
// init provider
$this->register(new \Silex\Provider\HttpCacheServiceProvider(), array('http_cache.cache_dir' => __DIR__ . '/../../app/cache/http/'));
$this->register(new \Silex\Provider\HttpFragmentServiceProvider());
$this->register(new \Silex\Provider\UrlGeneratorServiceProvider());
$this->register(new \Silex\Provider\FormServiceProvider());
$this->register(new \Silex\Provider\SerializerServiceProvider());
$this->register(new \Eccube\ServiceProvider\ValidatorServiceProvider());
$app = $this;
$this->error(function (\Exception $e, $code) use($app) {
if ($app['debug']) {
return;
}
switch ($code) {
case 403:
$title = 'アクセスできません。';
$message = 'お探しのページはアクセスができない状況にあるか、移動もしくは削除された可能性があります。';
break;
case 404:
$title = 'ページがみつかりません。';
$message = 'URLに間違いがないかご確認ください。';
break;
default:
$title = 'システムエラーが発生しました。';
$message = '大変お手数ですが、サイト管理者までご連絡ください。';
break;
}
return $app->render('error.twig', array('error_title' => $title, 'error_message' => $message));
});
// init mailer
$this->initMailer();
// init doctrine orm
$this->initDoctrine();
// Set up the DBAL connection now to check for a proper connection to the database.
$this->checkDatabaseConnection();
// init security
$this->initSecurity();
// init ec-cube service provider
$this->register(new ServiceProvider\EccubeServiceProvider());
// mount controllers
$this->register(new \Silex\Provider\ServiceControllerServiceProvider());
$this->mount('', new ControllerProvider\FrontControllerProvider());
$this->mount('/' . trim($this['config']['admin_route'], '/') . '/', new ControllerProvider\AdminControllerProvider());
Request::enableHttpMethodParameterOverride();
// PUTやDELETEできるようにする
// add transaction listener
$this['dispatcher']->addSubscriber(new TransactionListener($this));
// init http cache
$this->initCacheRequest();
$this->initialized = true;
}
protected function buildRequest()
{
Request::enableHttpMethodParameterOverride();
$this->request = Request::createFromGlobals();
}
};
$app['ngs.form.typemap'] = $app->share(function () use($app) {
return array_merge($app['dsl.source.forms'], array('ngs_bytestream' => 'NGS\\Symfony\\Form\\Type\\BytestreamType', 'ngs_checkbox' => 'NGS\\Symfony\\Form\\Type\\CheckboxType', 'ngs_collection' => 'NGS\\Symfony\\Form\\Type\\CollectionType', 'ngs_decimal' => 'NGS\\Symfony\\Form\\Type\\DecimalType', 'ngs_uuid' => 'NGS\\Symfony\\Form\\Type\\UUIDType', 'ngs_integer' => 'NGS\\Symfony\\Form\\Type\\IntegerType', 'ngs_localdate' => 'NGS\\Symfony\\Form\\Type\\LocalDateType', 'ngs_lookup' => 'NGS\\Symfony\\Form\\Type\\LookupType', 'ngs_money' => 'NGS\\Symfony\\Form\\Type\\MoneyType', 'ngs_reference' => 'NGS\\Symfony\\Form\\Type\\ReferenceType', 'ngs_text' => 'NGS\\Symfony\\Form\\Type\\TextType', 'ngs_timestamp' => 'NGS\\Symfony\\Form\\Type\\TimestampType'));
});
$app['form.extensions'] = $app->share($app->extend('form.extensions', function ($extensions) use($app) {
$extensions[] = new \NGS\Symfony\Form\FormExtension($app['ngs.form.typemap']);
return $extensions;
}));
$app['twig.path'] = array(realpath(__DIR__ . '/../templates'), realpath(__DIR__ . '/../Generated-PHP-UI'), realpath(__DIR__ . '/../vendor/dsl-platform/admin/templates'));
$twigNamespace = 'dsl_gen';
$app['twig.loader.filesystem'] = $app->share(function ($app) {
$fs = new \Twig_Loader_Filesystem($app['twig.path']);
// @todo namespaced twig paths
// $fs->addPath(__DIR__.'/../vendor/dsl-platform/dsl-admin-php/templates', 'dsl_admin');
return $fs;
});
$app['twig.options'] = array('cache' => __DIR__ . '/../var/cache/twig');
\Symfony\Component\HttpFoundation\Request::enableHttpMethodParameterOverride();
$app['crud.controller'] = $app->share(function () use($app) {
$controller = new \PhpDslAdmin\CrudController($app);
return $controller;
});
$crudProvider = new \PhpDslAdmin\CrudControllerProvider();
$crudApp = $crudProvider->connect($app);
$app->mount('/crud', $crudApp);
$app->get('/', function () use($app) {
return $app['twig']->render('index.twig');
});
$app->get('/crud', function () use($app) {
return $app['twig']->render('index.twig');
});
/**
* Allow overriding http method. Needed to use the "_method" parameter in forms.
* This should not be changeable by projects
*
* @return void
*/
private function enableHttpMethodParameterOverride()
{
Request::enableHttpMethodParameterOverride();
}
/**
* @param Request $request
* @param int $type
* @param bool $catch
* @return \Symfony\Component\HttpFoundation\Response
*/
public function handle(Request $request, $type = HttpKernelInterface::MASTER_REQUEST, $catch = true)
{
if ($type === HttpKernelInterface::MASTER_REQUEST) {
$request->enableHttpMethodParameterOverride();
}
return parent::handle($request, $type, $catch);
}
/**
* Prepare the environment, registering the Error and Exception handlers, and allowing HTTP method parameter overriding.
*/
protected function bootstrapEnvironment()
{
$this["debug"] = !!$this["app.config"]["environment.debug"];
Errorhandler::register();
ExceptionHandler::register($this["debug"]);
Request::enableHttpMethodParameterOverride();
}
public function handleRequest()
{
$this->loadBootstrap();
$kernel = $this->getKernel();
Request::enableHttpMethodParameterOverride();
$request = Request::createFromGlobals();
$response = $kernel->handle($request);
$response->send();
$kernel->terminate($request, $response);
}
