feature #61979 [HttpFoundation] Add Request::set/getAllowedHttpMethodOverride() to list which HTTP methods can be overridden (nicolas-grekas)

fabpot · fabpot · commit 1a5b5e59bc59 · 2025-10-10T07:42:48.000+02:00
This PR was merged into the 7.4 branch. Discussion ---------- [HttpFoundation] Add `Request::set/getAllowedHttpMethodOverride()` to list which HTTP methods can be overridden | Q | A | ------------- | --- | Branch? | 7.4 | Bug fix? | no | New feature? | yes | Deprecations? | no | Issues | - | License | MIT This feature addresses https://github.com/symfony/symfony/pull/61949/files#r2402280654 and hardens HttpFoundation by giving control over which HTTP methods can be overridden: ```php Request::setAllowedHttpMethodOverride(['PUT', 'PATCH', 'DELETE']); ``` Providing no method disables verb tunneling altogether: ```php Request::setAllowedHttpMethodOverride([]); ``` This setting can be set using standard Symfony configuration: ```yaml framework: allowed_http_method_override: ['PUT', 'DELETE', 'PATCH'] ``` 2 implementations note: - This doesn't update the XSD file on purpose: that format is deprecated and handling it would mean adding more complexity that nobody will benefit from in practice. - This isn't compatible with defining the list of allowed methods using env vars. This could be added later if one has a use case for that. Until it happens, I prefer keeping the code simpler. Commits ------- a4f51c9 [HttpFoundation] Add `Request::$allowedHttpMethodOverride` to list which HTTP methods can be overridden
diff --git a/src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md b/src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
@@ -15,6 +15,7 @@ CHANGELOG
  * Add support for configuring the `CachingHttpClient`
  * Add support for weighted transitions in workflows
  * Add support for union types with `Symfony\Component\EventDispatcher\Attribute\AsEventListener`
+ * Add `framework.allowed_http_method_override` option
 
 7.3
 ---
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -91,9 +91,14 @@ public function getConfigTreeBuilder(): TreeBuilder
             ->children()
                 ->scalarNode('secret')->end()
                 ->booleanNode('http_method_override')
-                    ->info("Set true to enable support for the '_method' request parameter to determine the intended HTTP method on POST requests. Note: When using the HttpCache, you need to call the method in your front controller instead.")
+                    ->info("Set true to enable support for the '_method' request parameter to determine the intended HTTP method on POST requests.")
                     ->defaultFalse()
                 ->end()
+                ->arrayNode('allowed_http_method_override')
+                    ->info('Sets the list of HTTP methods that can be overridden. Set to null to allow all methods to be overridden (default). Set to an empty array to disallow overrides entirely. Otherwise, provide the list of uppercased method names that are allowed.')
+                    ->stringPrototype()->end()
+                    ->defaultNull()
+                ->end()
                 ->scalarNode('trust_x_sendfile_type_header')
                     ->info('Set true to enable support for xsendfile in binary file responses.')
                     ->defaultValue('%env(bool:default::SYMFONY_TRUST_X_SENDFILE_TYPE_HEADER)%')
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
@@ -383,6 +383,7 @@ public function load(array $configs, ContainerBuilder $container): void
         $container->parameterCannotBeEmpty('kernel.secret', 'A non-empty value for the parameter "kernel.secret" is required. Did you forget to configure the '.$emptySecretHint.'?');
 
         $container->setParameter('kernel.http_method_override', $config['http_method_override']);
+        $container->setParameter('kernel.allowed_http_method_override', $config['allowed_http_method_override']);
         $container->setParameter('kernel.trust_x_sendfile_type_header', $config['trust_x_sendfile_type_header']);
         $container->setParameter('kernel.trusted_hosts', [0] === array_keys($config['trusted_hosts']) ? $config['trusted_hosts'][0] : $config['trusted_hosts']);
         $container->setParameter('kernel.default_locale', $config['default_locale']);
@@ -442,7 +443,7 @@ public function load(array $configs, ContainerBuilder $container): void
         }
 
         $propertyInfoEnabled = $this->readConfigEnabled('property_info', $container, $config['property_info']);
-        $this->registerHttpCacheConfiguration($config['http_cache'], $container, $config['http_method_override']);
+        $this->registerHttpCacheConfiguration($config['http_cache'], $container, $config['http_method_override'], $config['allowed_http_method_override']);
         $this->registerEsiConfiguration($config['esi'], $container, $loader);
         $this->registerSsiConfiguration($config['ssi'], $container, $loader);
         $this->registerFragmentsConfiguration($config['fragments'], $container, $loader);
@@ -945,7 +946,7 @@ private function registerFormConfiguration(array $config, ContainerBuilder $cont
         }
     }
 
-    private function registerHttpCacheConfiguration(array $config, ContainerBuilder $container, bool $httpMethodOverride): void
+    private function registerHttpCacheConfiguration(array $config, ContainerBuilder $container, bool $httpMethodOverride, ?array $allowedHttpMethodOverride): void
     {
         $options = $config;
         unset($options['enabled']);
@@ -968,6 +969,14 @@ private function registerHttpCacheConfiguration(array $config, ContainerBuilder
                       ->setFactory([Request::class, 'enableHttpMethodParameterOverride'])
                   );
         }
+
+        if (null !== $allowedHttpMethodOverride) {
+            $container->getDefinition('http_cache')
+                    ->addArgument((new Definition('void'))
+                        ->setFactory([Request::class, 'setAllowedHttpMethodOverride'])
+                        ->addArgument($allowedHttpMethodOverride)
+                    );
+        }
     }
 
     private function registerEsiConfiguration(array $config, ContainerBuilder $container, PhpFileLoader $loader): void
diff --git a/src/Symfony/Bundle/FrameworkBundle/FrameworkBundle.php b/src/Symfony/Bundle/FrameworkBundle/FrameworkBundle.php
@@ -119,6 +119,10 @@ public function boot(): void
             Request::enableHttpMethodParameterOverride();
         }
 
+        if ($this->container->hasParameter('kernel.allowed_http_method_override')) {
+            Request::setAllowedHttpMethodOverride($this->container->getParameter('kernel.allowed_http_method_override'));
+        }
+
         if ($this->container->hasParameter('kernel.trust_x_sendfile_type_header') && $this->container->getParameter('kernel.trust_x_sendfile_type_header')) {
             BinaryFileResponse::trustXSendfileTypeHeader();
         }
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
@@ -715,6 +715,7 @@ protected static function getBundleDefaultConfig()
     {
         return [
             'http_method_override' => false,
+            'allowed_http_method_override' => null,
             'handle_all_throwables' => true,
             'trust_x_sendfile_type_header' => '%env(bool:default::SYMFONY_TRUST_X_SENDFILE_TYPE_HEADER)%',
             'ide' => '%env(default::SYMFONY_IDE)%',
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTestCase.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTestCase.php
@@ -214,6 +214,30 @@ public function testHttpMethodOverride()
         $this->assertFalse($container->getParameter('kernel.http_method_override'));
     }
 
+    public function testAllowedHttpMethodOverride()
+    {
+        $container = $this->createContainerFromFile('full');
+
+        $this->assertNull($container->getParameter('kernel.allowed_http_method_override'));
+    }
+
+    public function testAllowedHttpMethodOverrideWithSpecificMethods()
+    {
+        $container = $this->createContainerFromClosure(function ($container) {
+            $container->loadFromExtension('framework', [
+                'annotations' => false,
+                'http_method_override' => true,
+                'allowed_http_method_override' => ['PUT', 'DELETE'],
+                'handle_all_throwables' => true,
+                'php_errors' => ['log' => true],
+                'secret' => 's3cr3t',
+            ]);
+        });
+
+        $this->assertTrue($container->getParameter('kernel.http_method_override'));
+        $this->assertEquals(['PUT', 'DELETE'], $container->getParameter('kernel.allowed_http_method_override'));
+    }
+
     public function testTrustXSendfileTypeHeader()
     {
         $container = $this->createContainerFromFile('full');
diff --git a/src/Symfony/Bundle/FrameworkBundle/composer.json b/src/Symfony/Bundle/FrameworkBundle/composer.json
@@ -25,7 +25,7 @@
         "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/error-handler": "^7.3|^8.0",
         "symfony/event-dispatcher": "^6.4|^7.0|^8.0",
-        "symfony/http-foundation": "^7.3|^8.0",
+        "symfony/http-foundation": "^7.4|^8.0",
         "symfony/http-kernel": "^7.2|^8.0",
         "symfony/polyfill-mbstring": "~1.0",
         "symfony/polyfill-php85": "^1.32",
diff --git a/src/Symfony/Component/HttpFoundation/CHANGELOG.md b/src/Symfony/Component/HttpFoundation/CHANGELOG.md
@@ -7,6 +7,7 @@ CHANGELOG
  * Add `#[WithHttpStatus]` to define status codes: 404 for `SignedUriException` and 403 for `ExpiredSignedUriException`
  * Add support for the `QUERY` HTTP method
  * Add support for structured MIME suffix
+ * Add `Request::set/getAllowedHttpMethodOverride()` to list which HTTP methods can be overridden
  * Deprecate using `Request::sendHeaders()` after headers have already been sent; use a `StreamedResponse` instead
  * Deprecate method `Request::get()`, use properties `->attributes`, `query` or `request` directly instead
  * Make `Request::createFromGlobals()` parse the body of PUT, DELETE, PATCH and QUERY requests
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -81,6 +81,13 @@ class Request
 
     protected static bool $httpMethodParameterOverride = false;
 
+    /**
+     * The HTTP methods that can be overridden.
+     *
+     * @var uppercase-string[]|null
+     */
+    protected static ?array $allowedHttpMethodOverride = null;
+
     /**
      * Custom parameters.
      */
@@ -680,6 +687,30 @@ public static function getHttpMethodParameterOverride(): bool
         return self::$httpMethodParameterOverride;
     }
 
+    /**
+     * Sets the list of HTTP methods that can be overridden.
+     *
+     * Set to null to allow all methods to be overridden (default). Set to an
+     * empty array to disallow overrides entirely. Otherwise, provide the list
+     * of uppercased method names that are allowed.
+     *
+     * @param uppercase-string[]|null $methods
+     */
+    public static function setAllowedHttpMethodOverride(?array $methods): void
+    {
+        self::$allowedHttpMethodOverride = $methods;
+    }
+
+    /**
+     * Gets the list of HTTP methods that can be overridden.
+     *
+     * @return uppercase-string[]|null
+     */
+    public static function getAllowedHttpMethodOverride(): ?array
+    {
+        return self::$allowedHttpMethodOverride;
+    }
+
     /**
      * Gets a "parameter" value from any bag.
      *
@@ -1197,7 +1228,7 @@ public function getMethod(): string
 
         $this->method = strtoupper($this->server->get('REQUEST_METHOD', 'GET'));
 
-        if ('POST' !== $this->method) {
+        if ('POST' !== $this->method || !(self::$allowedHttpMethodOverride ?? true)) {
             return $this->method;
         }
 
@@ -1213,11 +1244,11 @@ public function getMethod(): string
 
         $method = strtoupper($method);
 
-        if (\in_array($method, ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'PATCH', 'PURGE', 'TRACE', 'QUERY'], true)) {
-            return $this->method = $method;
+        if (self::$allowedHttpMethodOverride && !\in_array($method, self::$allowedHttpMethodOverride, true)) {
+            return $this->method;
         }
 
-        if (!preg_match('/^[A-Z]++$/D', $method)) {
+        if (\strlen($method) !== strspn($method, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ')) {
             throw new SuspiciousOperationException('Invalid HTTP method override.');
         }
 
diff --git a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
@@ -33,6 +33,7 @@ protected function tearDown(): void
     {
         Request::setTrustedProxies([], -1);
         Request::setTrustedHosts([]);
+        Request::setAllowedHttpMethodOverride(null);
     }
 
     public function testInitialize()
@@ -255,6 +256,50 @@ public function testCreate()
         $this->assertEquals('http://test.com/foo', $request->getUri());
     }
 
+    public function testHttpMethodOverrideRespectsAllowedListWithHeader()
+    {
+        $request = Request::create('http://example.com/', 'POST');
+        $request->headers->set('X-HTTP-METHOD-OVERRIDE', 'PATCH');
+
+        Request::setAllowedHttpMethodOverride(['PUT', 'PATCH']);
+
+        $this->assertSame('PATCH', $request->getMethod());
+    }
+
+    public function testHttpMethodOverrideDisallowedSkipsOverrideWithHeader()
+    {
+        $request = Request::create('http://example.com/', 'POST');
+        $request->headers->set('X-HTTP-METHOD-OVERRIDE', 'DELETE');
+
+        Request::setAllowedHttpMethodOverride(['PUT', 'PATCH']);
+
+        $this->assertSame('POST', $request->getMethod());
+    }
+
+    public function testHttpMethodOverrideDisabledWithEmptyAllowedList()
+    {
+        $request = Request::create('http://example.com/', 'POST');
+        $request->headers->set('X-HTTP-METHOD-OVERRIDE', 'PUT');
+
+        Request::setAllowedHttpMethodOverride([]);
+
+        $this->assertSame('POST', $request->getMethod());
+    }
+
+    public function testHttpMethodOverrideRespectsAllowedListWithParameter()
+    {
+        Request::enableHttpMethodParameterOverride();
+        Request::setAllowedHttpMethodOverride(['PUT']);
+
+        try {
+            $request = Request::create('http://example.com/', 'POST', ['_method' => 'PUT']);
+
+            $this->assertSame('PUT', $request->getMethod());
+        } finally {
+            (new \ReflectionProperty(Request::class, 'httpMethodParameterOverride'))->setValue(null, false);
+        }
+    }
+
     public function testCreateWithRequestUri()
     {
         $request = Request::create('http://test.com:80/foo');

Original file line number	Diff line number	Diff line change
`@@ -383,6 +383,7 @@ public function load(array $configs, ContainerBuilder $container): void`
`383`	`383`	`$container->parameterCannotBeEmpty('kernel.secret', 'A non-empty value for the parameter "kernel.secret" is required. Did you forget to configure the '.$emptySecretHint.'?');`
`384`	`384`
`385`	`385`	`$container->setParameter('kernel.http_method_override', $config['http_method_override']);`
	`386`	`+ $container->setParameter('kernel.allowed_http_method_override', $config['allowed_http_method_override']);`
`386`	`387`	`$container->setParameter('kernel.trust_x_sendfile_type_header', $config['trust_x_sendfile_type_header']);`
`387`	`388`	`$container->setParameter('kernel.trusted_hosts', [0] === array_keys($config['trusted_hosts']) ? $config['trusted_hosts'][0] : $config['trusted_hosts']);`
`388`	`389`	`$container->setParameter('kernel.default_locale', $config['default_locale']);`
`@@ -442,7 +443,7 @@ public function load(array $configs, ContainerBuilder $container): void`
`442`	`443`	`}`
`443`	`444`
`444`	`445`	`$propertyInfoEnabled = $this->readConfigEnabled('property_info', $container, $config['property_info']);`
`445`		`- $this->registerHttpCacheConfiguration($config['http_cache'], $container, $config['http_method_override']);`
	`446`	`+ $this->registerHttpCacheConfiguration($config['http_cache'], $container, $config['http_method_override'], $config['allowed_http_method_override']);`
`446`	`447`	`$this->registerEsiConfiguration($config['esi'], $container, $loader);`
`447`	`448`	`$this->registerSsiConfiguration($config['ssi'], $container, $loader);`
`448`	`449`	`$this->registerFragmentsConfiguration($config['fragments'], $container, $loader);`
`@@ -945,7 +946,7 @@ private function registerFormConfiguration(array $config, ContainerBuilder $cont`
`945`	`946`	`}`
`946`	`947`	`}`
`947`	`948`
`948`		`- private function registerHttpCacheConfiguration(array $config, ContainerBuilder $container, bool $httpMethodOverride): void`
	`949`	`+ private function registerHttpCacheConfiguration(array $config, ContainerBuilder $container, bool $httpMethodOverride, ?array $allowedHttpMethodOverride): void`
`949`	`950`	`{`
`950`	`951`	`$options = $config;`
`951`	`952`	`unset($options['enabled']);`
`@@ -968,6 +969,14 @@ private function registerHttpCacheConfiguration(array $config, ContainerBuilder`
`968`	`969`	`->setFactory([Request::class, 'enableHttpMethodParameterOverride'])`
`969`	`970`	`);`
`970`	`971`	`}`
	`972`	`+`
	`973`	`+ if (null !== $allowedHttpMethodOverride) {`
	`974`	`+ $container->getDefinition('http_cache')`
	`975`	`+ ->addArgument((new Definition('void'))`
	`976`	`+ ->setFactory([Request::class, 'setAllowedHttpMethodOverride'])`
	`977`	`+ ->addArgument($allowedHttpMethodOverride)`
	`978`	`+ );`
	`979`	`+ }`
`971`	`980`	`}`
`972`	`981`
`973`	`982`	`private function registerEsiConfiguration(array $config, ContainerBuilder $container, PhpFileLoader $loader): void`
Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,10 @@ public function boot(): void`
`119`	`119`	`Request::enableHttpMethodParameterOverride();`
`120`	`120`	`}`
`121`	`121`
	`122`	`+ if ($this->container->hasParameter('kernel.allowed_http_method_override')) {`
	`123`	`+ Request::setAllowedHttpMethodOverride($this->container->getParameter('kernel.allowed_http_method_override'));`
	`124`	`+ }`
	`125`	`+`
`122`	`126`	`if ($this->container->hasParameter('kernel.trust_x_sendfile_type_header') && $this->container->getParameter('kernel.trust_x_sendfile_type_header')) {`
`123`	`127`	`BinaryFileResponse::trustXSendfileTypeHeader();`
`124`	`128`	`}`
Original file line number	Diff line number	Diff line change
`@@ -715,6 +715,7 @@ protected static function getBundleDefaultConfig()`
`715`	`715`	`{`
`716`	`716`	`return [`
`717`	`717`	`'http_method_override' => false,`
	`718`	`+ 'allowed_http_method_override' => null,`
`718`	`719`	`'handle_all_throwables' => true,`
`719`	`720`	`'trust_x_sendfile_type_header' => '%env(bool:default::SYMFONY_TRUST_X_SENDFILE_TYPE_HEADER)%',`
`720`	`721`	`'ide' => '%env(default::SYMFONY_IDE)%',`