Description
Hi,
someone tries to attack our web by passing invalid values to the route parameter.
The parameter requires a number ([1-9][0-9]*) and the controller argument is type of int. But when the number is bigger then PHP_INT_MAX then the TypeError is thrown.
There is a solution using a simple regular expression ('[1-9][0-9]{0,18}') which limit max number to 9*10^18.
Wouldn't it be better if the router checked whether the argument is of type integer, and if the route parameter does not fit to it, the ResourceNotFoundException would be thrown?
Casting invalid numbers to integers is not possible because two different URLs would point to the same resource.
Or is there a better solution?
Example
http://127.0.0.1:8001/sample/9223372036854775808
namespace App\Controller;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Attribute\Route;
use Symfony\Component\Routing\Requirement\Requirement;
class SampleController
{
#[Route('/sample/{id}', requirements: ['id' => Requirement::POSITIVE_INT])]
public function index(int $id): Response
{
return new Response(sprintf('ID: %d.', $id));
}
}
Description
Hi,
someone tries to attack our web by passing invalid values to the route parameter.
The parameter requires a number (
[1-9][0-9]*) and the controller argument is type ofint. But when the number is bigger thenPHP_INT_MAXthen the TypeError is thrown.There is a solution using a simple regular expression ('[1-9][0-9]{0,18}') which limit max number to 9*10^18.
Wouldn't it be better if the router checked whether the argument is of type integer, and if the route parameter does not fit to it, the
ResourceNotFoundExceptionwould be thrown?Casting invalid numbers to integers is not possible because two different URLs would point to the same resource.
Or is there a better solution?
Example
http://127.0.0.1:8001/sample/9223372036854775808