Skip to content

Commit

Permalink
Deprecate the query route with an error message and remove the mergin…
Browse files Browse the repository at this point in the history
…g of query parameters into the route match
  • Loading branch information
DASPRiD authored and weierophinney committed Mar 13, 2013
1 parent 087f459 commit 0a7ec34
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 7 deletions.
30 changes: 30 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,36 @@ DD MMM YYYY

### UPDATES IN 2.1.4

#### Security fix: Query route

The query route was deprecated, as a replacement exists within the HTTP router
itself. You can pass a "query" option to the assemble method containing either
the query string or an array of key-value pairs:

```php
$url = $router->assemble(array(
'name' => 'foo',
), array(
'query' => array(
'page' => 3,
'sort' => 'DESC',
),
// or: 'query' => 'page=3&sort=DESC'
));

// via URL helper/plugin:
$rendererOrController->url('foo', array(), array('query' => $request->getQuery()));
```

Additionally, the merging of query parameters into the route match was removed
to avoid potential security issues. Please use the query container of the
request object instead.

For more information on the security vector, please see
[ZF2013-01](http://framework.zend.com/security/ZF2013-01).

#### Better polyfill support

Better polyfill support in `Zend\Session` and `Zend\Stdlib`. Polyfills
(version-specific class replacements) have caused some issues in the 2.1 series.
In particular, users who were not using Composer were unaware/uncertain about
Expand Down
16 changes: 9 additions & 7 deletions library/Zend/Mvc/Router/Http/Query.php
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@
use Zend\Stdlib\ArrayUtils;
use Zend\Stdlib\RequestInterface as Request;

/**
* Legacy purposes only, to prevent code that uses it from breaking.
*/
trigger_error('Query route deprecated as of ZF 2.1.4; use the "query" option of the HTTP router\'s assembling method instead', E_USER_DEPRECATED);

/**
* Query route.
*
Expand Down Expand Up @@ -82,13 +87,10 @@ public static function factory($options = array())
*/
public function match(Request $request, $pathOffset = null)
{
if (!method_exists($request, 'getQuery')) {
return null;
}

$matches = $this->recursiveUrldecode($request->getQuery()->toArray());

return new RouteMatch(array_merge($this->defaults, $matches));
// We don't merge the query parameters into the rotue match here because
// of possible security problems. Use the Query object instead which is
// included in the Request object.
return new RouteMatch($this->defaults);
}

/**
Expand Down

0 comments on commit 0a7ec34

Please sign in to comment.