HWIOAuthBundle icon indicating copy to clipboard operation
HWIOAuthBundle copied to clipboard

Published 20 hours ago verified publisher icon hwi

Routes don't specify HTTP methods

Open garak opened this issue 2 years ago • 4 comments

Q A
Bug? kind of
New Feature? no
Support question? no
Version 2.x

Actual Behavior

All routes defined in Resources/config/routing/ directory don't define HTTP methods (e.g. GET, POST, etc.) It would be better to restrict such routes only to intended methods, to narrow the scope of possible attacks.

Expected Behavior

Routes should define methods.

Steps to Reproduce

Run in a terminal bin/console debug:router | grep hwi_. You'll see bundle routes with value ANY in Method column.

Possible Solutions

Provide methods in configuration. I can provide a PR.

garak avatar Sep 27 '21 14:09 garak

This would be BC break, but I think it can go into upcoming 2.0 version.

stloyd avatar Dec 09 '21 09:12 stloyd

This would be BC break, but I think it can go into upcoming 2.0 version.

Really? I guess that the routes are intended to work only in GET/POST, and other methods should not be allowed from the beginning.

garak avatar Dec 09 '21 09:12 garak

Intended - yes, but we allowed to use other way around before as you can replace our controllers in your code... 😂

So technically limiting that possibility would be BC break ;)

stloyd avatar Dec 09 '21 09:12 stloyd

Should be fixed with #1847.

stloyd avatar Dec 10 '21 18:12 stloyd