NotificationsYou must be signed in to change notification settings
Fork9.7k
Star30.7k

[HttpFoundation] drop support for HTTP method override for GET, HEAD, CONNECT and TRACE requests#62042

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

nicolas-grekas merged 1 commit intosymfony:8.0fromxabbuh:pr-61949

Oct 12, 2025

Merged

[HttpFoundation] drop support for HTTP method override for GET, HEAD, CONNECT and TRACE requests#62042

nicolas-grekas merged 1 commit intosymfony:8.0fromxabbuh:pr-61949

Oct 12, 2025

+4 −5

Conversation

Copy link

Member

xabbuh commentedOct 11, 2025

Q	A
Branch?	8.0
Bug fix?	no
New feature?	yes
Deprecations?	no
Issues
License	MIT

carsonbot added Status: Needs Review Feature HttpFoundation labels

Oct 11, 2025

carsonbot added this to the8.0 milestone

Oct 11, 2025

drop support for HTTP method override for GET, HEAD, CONNECT and TRAC…

03d344f

…e requests

xabbuh force-pushed thepr-61949 branch fromf956e42 to03d344fCompare

October 11, 2025 18:48

xabbuh commented

Oct 11, 2025

View reviewed changes

src/Symfony/Component/HttpFoundation/Request.php


		$method =strtoupper($method);

		if (\in_array($method, ['GET','HEAD','CONNECT','TRACE'],true)) {

Copy link

MemberAuthor

xabbuhOct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I wonder if we should forbid (in 7.4) listing any of these methods in$allowedHttpMethodOverride

Copy link

Member

nicolas-grekasOct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

And return a 400?
I wondered the same and thought: what for in the end?

Copy link

MemberAuthor

xabbuhOct 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I was thinking of throwing an exception ifsetAllowedHttpMethodOverride() is called with a list of methods of which one or more are matching this list.

Copy link

Member

nicolas-grekasOct 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Ah, yes, that'd work for me, to spot misconfigs earlier

Copy link

MemberAuthor

xabbuhOct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

see#62065

Copy link

Member

nicolas-grekas commentedOct 12, 2025

Thank you@xabbuh.

nicolas-grekas merged commitb6d7b24 intosymfony:8.0

Oct 12, 2025

9 of 10 checks passed

nicolas-grekas mentioned this pull request

Oct 12, 2025

[HttpFoundation] drop support for HTTP method override for GET, HEAD, C…symfony/symfony-docs#21491

Open

xabbuh deleted the pr-61949 branch

October 12, 2025 09:58

xabbuh mentioned this pull request

Oct 14, 2025

[FrameworkBundle][HttpFoundation] forbid HTTP method override of GET, HEAD, CONNECT and TRACE#62065

Merged

nicolas-grekas added a commit that referenced this pull request

Oct 14, 2025

minor#62065[FrameworkBundle][HttpFoundation] forbid HTTP method ove…

905f61c

…rride of GET, HEAD, CONNECT and TRACE (xabbuh)This PR was merged into the 7.4 branch.Discussion----------[FrameworkBundle][HttpFoundation] forbid HTTP method override of GET, HEAD, CONNECT and TRACE| Q             | A| ------------- | ---| Branch?       | 7.4| Bug fix?      | no| New feature?  | no| Deprecations? | no| Issues        | see#62042 (comment)| License       | MITCommits-------1b79380 forbid HTTP method override of GET, HEAD, CONNECT and TRACE