HWIOAuthBundle
HWIOAuthBundle copied to clipboard
Routes don't specify HTTP methods
Q | A |
---|---|
Bug? | kind of |
New Feature? | no |
Support question? | no |
Version | 2.x |
Actual Behavior
All routes defined in Resources/config/routing/
directory don't define HTTP methods (e.g. GET
, POST
, etc.)
It would be better to restrict such routes only to intended methods, to narrow the scope of possible attacks.
Expected Behavior
Routes should define methods.
Steps to Reproduce
Run in a terminal bin/console debug:router | grep hwi_
. You'll see bundle routes with value ANY
in Method
column.
Possible Solutions
Provide methods in configuration. I can provide a PR.
This would be BC break, but I think it can go into upcoming 2.0
version.
This would be BC break, but I think it can go into upcoming
2.0
version.
Really? I guess that the routes are intended to work only in GET/POST, and other methods should not be allowed from the beginning.
Intended - yes, but we allowed to use other way around before as you can replace our controllers in your code... 😂
So technically limiting that possibility would be BC break ;)
Should be fixed with #1847.