Transport\Curl/Fsockopen: add input validation #629
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
schlessera
approved these changes
Nov 16, 2021
schlessera
requested changes
Nov 16, 2021
This commit adds input validation to the `Curl::request()` and the `Fsockopen::request()` methods along the same lines as added to `Requests::request()`. * The `$url` parameter is validated to allow for a string or Stringable (Iri) object. * The `$headers` parameter is validated to allow only an array for consistency between both transport classes. * The `$data` parameter already had (looser) input validation. This has been tightened up to only allow for the declared supported types, array and string (and null). * The `$options` parameter is validated to allow only an array - same as in `Requests::request()`. Includes: * Adding perfunctory tests for the new exceptions. * Adjusting one existing test to ensure that passing the `$url` as a stringable object is safeguarded. * Adjusting the existing tests for the `$data` parameter validation to be in line with the new validation.
This commit adds input validation to the `Curl::request_multiple()` and the `Fsockopen::request_multiple()` methods along the same lines as added to `Requests::request_multiple()`. * For `$requests`, arrays and iterable objects with array access should be accepted based on how the parameter is used within this class. * The `$options` parameter is validated to allow only an array - same as in `Requests::request()`. Includes aligning the behaviour when receiving an empty `$requests` array between the `Curl` and the `Fsockopen` classes and returning an empty array in that case. Includes adding perfunctory tests for the new exceptions.
jrfnl
force-pushed
the
feature/transport-add-input-validation
branch
from
8190960
to
f703215
Compare
schlessera
approved these changes
Nov 16, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Transport\Curl/Fsockopen::request(): add input validation
This commit adds input validation to the
Curl::request()and theFsockopen::request()methods along the same lines as added toRequests::request().$urlparameter is validated to allow for a string or Stringable (Iri) object.$headersparameter is validated to allow only an array for consistency between both transport classes.$dataparameter already had (looser) input validation. This has been tightened up to only allow for the declared supported types, array and string (and null).$optionsparameter is validated to allow only an array - same as inRequests::request().Includes:
$urlas a stringable object is safeguarded.$dataparameter validation to be in line with the new validation.Transport\Curl/Fsockopen::request_multiple(): add input validation
This commit adds input validation to the
Curl::request_multiple()and theFsockopen::request_multiple()methods along the same lines as added toRequests::request_multiple().$requests, arrays and iterable objects with array access should be accepted based on how the parameter is used within this class.$optionsparameter is validated to allow only an array - same as inRequests::request().Includes aligning the behaviour when receiving an empty
$requestsarray between theCurland theFsockopenclasses and returning an empty array in that case.Includes adding perfunctory tests for the new exceptions.
Regarding the other
publicmethods inCurl:public, theget_subrequest_handle()andprocess_response()methods look to be intended for internal use only.stream_headers()andstream_body(). Note: these methods both take a$handleparameter which is subsequently unused. I imagine this was to allow for overloaded methods to receive the$handle, but the class has becomefinalnow (after investigation and finding no extended classes), so these methods can no be overloaded.I think it may be a good idea to deprecate the public methods in a future minor in favour of
protected/privatereplacements which only receive the parameters which are actually use.test()method for which the$capabilitiesparameter is only used after anisset()on the keys used, so this is safe as-is.publicmethods do not take parameters.Regarding the other
publicmethods inFsockopen:connect_error_handler()method is an error handler and should not be called directly.public, theverify_certificate_from_context()method looks to be intended for internal use only.test()method for which the$capabilitiesparameter is only used after anisset()on the keys used, so this is safe as-is.