[HttpFoundation] Add parse_str()-based methods for query strings normalization

nicolas-grekas · nicolas-grekas · commit 85383c1f03e7 · 2018-03-19T10:52:52.000+01:00
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -524,9 +524,11 @@ public function __toString()
      */
     public function overrideGlobals()
     {
-        $this->server->set('QUERY_STRING', static::normalizeQueryString(http_build_query($this->query->all(), '', '&')));
+        $query = $this->query->all();
+        ksort($query);
+        $this->server->set('QUERY_STRING', http_build_query($query, '', '&', PHP_QUERY_RFC3986));
 
-        $_GET = $this->query->all();
+        $_GET = $query;
         $_POST = $this->request->all();
         $_SERVER = $this->server->all();
         $_COOKIE = $this->cookies->all();
@@ -656,6 +658,24 @@ public static function normalizeQueryString($qs)
         return implode('&', $parts);
     }
 
+    /**
+     * Normalizes a query string using `parse_str()`.
+     *
+     * It builds a normalized query string, where root-keys/value pairs are alphabetized,
+     * have consistent escaping and unneeded delimiters are removed.
+     */
+    public static function normalizeQueryStringForPhp(string $qs): string
+    {
+        if ('' == $qs) {
+            return '';
+        }
+
+        parse_str($qs, $qs);
+        ksort($qs);
+
+        return http_build_query($qs, '', '&', PHP_QUERY_RFC3986);
+    }
+
     /**
      * Enables support for the _method request parameter to determine the intended HTTP method.
      *
@@ -1037,6 +1057,20 @@ public function getUri()
         return $this->getSchemeAndHttpHost().$this->getBaseUrl().$this->getPathInfo().$qs;
     }
 
+    /**
+     * Generates a `parse_str()`-normalized URI (URL) for the Request.
+     *
+     * @see getQueryStringForPhp()
+     */
+    public function getUriForPhp(): string
+    {
+        if (null !== $qs = $this->getQueryStringForPhp()) {
+            $qs = '?'.$qs;
+        }
+
+        return $this->getSchemeAndHttpHost().$this->getBaseUrl().$this->getPathInfo().$qs;
+    }
+
     /**
      * Generates a normalized URI for the given path.
      *
@@ -1119,6 +1153,19 @@ public function getQueryString()
         return '' === $qs ? null : $qs;
     }
 
+    /**
+     * Generates the query string for the Request, using `parse_str()` it value.
+     *
+     * It builds a normalized query string, where root-keys/value pairs are alphabetized
+     * and have consistent escaping.
+     */
+    public function getQueryStringForPhp(): ?string
+    {
+        $qs = static::normalizeQueryStringForPhp($this->server->get('QUERY_STRING'));
+
+        return '' === $qs ? null : $qs;
+    }
+
     /**
      * Checks whether the request is secure or not.
      *
diff --git a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
@@ -696,6 +696,56 @@ public function getQueryStringNormalizationData()
             // Ignore pairs with empty key, even if there was a value, e.g. "=value", as such nameless values cannot be retrieved anyway.
             // PHP also does not include them when building _GET.
             array('foo=bar&=a=b&=x=y', 'foo=bar', 'removes params with empty key'),
+
+            // Also reorder nested query string keys
+            array('foo[]=Z&foo[]=A', 'foo%5B%5D=A&foo%5B%5D=Z', 'reorders values'),
+            array('foo[Z]=B&foo[A]=B', 'foo%5BA%5D=B&foo%5BZ%5D=B', 'reorders keys'),
+
+            array('utf8=✓', 'utf8=%E2%9C%93', 'encodes UTF-8'),
+        );
+    }
+
+    /**
+     * @dataProvider getQueryStringNormalizationDataForPhp
+     */
+    public function testGetQueryStringForPhp($query, $expectedQuery, $msg)
+    {
+        $request = new Request();
+
+        $request->server->set('QUERY_STRING', $query);
+        $this->assertSame($expectedQuery, $request->getQueryStringForPhp(), $msg);
+    }
+
+    public function getQueryStringNormalizationDataForPhp()
+    {
+        return array(
+            array('foo', 'foo=', 'works with valueless parameters'),
+            array('foo=', 'foo=', 'includes a dangling equal sign'),
+            array('bar=&foo=bar', 'bar=&foo=bar', '->works with empty parameters'),
+            array('foo=bar&bar=', 'bar=&foo=bar', 'sorts keys alphabetically'),
+
+            // GET parameters, that are submitted from a HTML form, encode spaces as "+" by default (as defined in enctype application/x-www-form-urlencoded).
+            // PHP also converts "+" to spaces when filling the global _GET or when using the function parse_str.
+            array('him=John%20Doe&her=Jane+Doe', 'her=Jane%20Doe&him=John%20Doe', 'normalizes spaces in both encodings "%20" and "+"'),
+
+            array('foo[]=1&foo[]=2', 'foo%5B0%5D=1&foo%5B1%5D=2', 'allows array notation'),
+            array('foo=1&foo=2', 'foo=2', 'merges repeated parameters'),
+            array('pa%3Dram=foo%26bar%3Dbaz&test=test', 'pa%3Dram=foo%26bar%3Dbaz&test=test', 'works with encoded delimiters'),
+            array('0', '0=', 'allows "0"'),
+            array('Jane Doe&John%20Doe', 'Jane_Doe=&John_Doe=', 'normalizes encoding in keys'),
+            array('her=Jane Doe&him=John%20Doe', 'her=Jane%20Doe&him=John%20Doe', 'normalizes encoding in values'),
+            array('foo=bar&&&test&&', 'foo=bar&test=', 'removes unneeded delimiters'),
+            array('formula=e=m*c^2', 'formula=e%3Dm%2Ac%5E2', 'correctly treats only the first "=" as delimiter and the next as value'),
+
+            // Ignore pairs with empty key, even if there was a value, e.g. "=value", as such nameless values cannot be retrieved anyway.
+            // PHP also does not include them when building _GET.
+            array('foo=bar&=a=b&=x=y', 'foo=bar', 'removes params with empty key'),
+
+            // Don't reorder nested query string keys
+            array('foo[]=Z&foo[]=A', 'foo%5B0%5D=Z&foo%5B1%5D=A', 'keeps order of values'),
+            array('foo[Z]=B&foo[A]=B', 'foo%5BZ%5D=B&foo%5BA%5D=B', 'keeps order of keys'),
+
+            array('utf8=✓', 'utf8=%E2%9C%93', 'encodes UTF-8'),
         );
     }
 
diff --git a/src/Symfony/Component/HttpKernel/HttpCache/HttpCache.php b/src/Symfony/Component/HttpKernel/HttpCache/HttpCache.php
@@ -661,7 +661,7 @@ private function record(Request $request, string $event)
     private function getTraceKey(Request $request): string
     {
         $path = $request->getPathInfo();
-        if ($qs = $request->getQueryString()) {
+        if ($qs = $request->getQueryStringForPhp()) {
             $path .= '?'.$qs;
         }
 
diff --git a/src/Symfony/Component/HttpKernel/HttpCache/Store.php b/src/Symfony/Component/HttpKernel/HttpCache/Store.php
@@ -421,7 +421,7 @@ public function getPath($key)
      */
     protected function generateCacheKey(Request $request)
     {
-        return 'md'.hash('sha256', $request->getUri());
+        return 'md'.hash('sha256', $request->getUriForPhp());
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -661,7 +661,7 @@ private function record(Request $request, string $event)`
`661`	`661`	`private function getTraceKey(Request $request): string`
`662`	`662`	`{`
`663`	`663`	`$path = $request->getPathInfo();`
`664`		`- if ($qs = $request->getQueryString()) {`
	`664`	`+ if ($qs = $request->getQueryStringForPhp()) {`
`665`	`665`	`$path .= '?'.$qs;`
`666`	`666`	`}`
`667`	`667`
Original file line number	Diff line number	Diff line change
`@@ -421,7 +421,7 @@ public function getPath($key)`
`421`	`421`	`*/`
`422`	`422`	`protected function generateCacheKey(Request $request)`
`423`	`423`	`{`
`424`		`- return 'md'.hash('sha256', $request->getUri());`
	`424`	`+ return 'md'.hash('sha256', $request->getUriForPhp());`
`425`	`425`	`}`
`426`	`426`
`427`	`427`	`/**`