I think injected services should have precedence over request parameters
because:
* on name collision you can always access request parameters by using
the request service
function showAction($doctrineManager, Request $request)
{
$requestName = $request->getRequestParameter('request');
// maybe implement ArrayAccess?
$requestName = $request['request'];
}
* request parameters aren't trusted and therefore should never overwrite
trusted variables
* passed arguments are only "shortcuts" to the "real" parameters handled
by (injected) services
* the developer should be able to use the request service instead of
passed arguments without keeping name collision in mind
A problem that arises here is that you can break existing actions by
defining a new service with a request parameter name.
The only solution that comes in my mind is to force type hints for
services...
hehe, that's definitely a problem we want to avoid. So, I think routing
variables should have precedence over services. The problems you
mentioned before are mitigated by the following:
* Routing variables can only be "strings"
* The requirements of the routing system is there to validate the input
* These values are not "more" trusted than any other request
parameter. It's still the developer job to do something about them.
* When creating an action method, the developer will immediately spot
that one of its routing variable conflict with a service name. It's then
easy enough to rename the routing variable.
What do you think?
Fabien
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
To unsubscribe from this group, send email to symfony-devs+unsubscribegooglegroups.com or
reply to this email with the words "REMOVE ME" as the subject.
