PHP 8.1: improve input validation for Requests_Transport_(fsockopen|cURL)
#499
+117
−0
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PHP 8.1 deprecates passing
null
to non-nullable parameters for PHP native functions.Ref: https://wiki.php.net/rfc/deprecate_null_to_scalar_internal_arg
The
Requests_Transport_fsockopen::request()
method passes$request_body
into the PHP nativestrlen()
function without sufficient validation, which on PHP 8.1 results in astrlen(): Passing null to parameter #1 ($string) of type string is deprecated
notification.The existing
RequestsTest_Transport_Base::testEmptyPOST()
test method exposed this.When investigating this issue, I realized that no significant input validation was being done on the
$data
parameter.PR #368 in response to issue #248 added a test to verify that the "content-length" header was correctly set when
null
would be passed as$data
and added a safe-guard specifically for whennull
would be passed. Also, as a matter of form, integers and floats were handled correctly forfsockopen
, but anything else would lead to PHP errors in unexpected places in every supported PHP version, including integers and floats in combination with thecURL
class.To mitigate this, I propose to:
Requests_Exception_InvalidArgument
class which extends the PHP nativeInvalidArgumentException
.$data
parameter to both thecURL
as well as thefsockopen
Transport class which maintains and stabilizes the pre-existing behaviour for handling ofnull
, synchronizes the behaviour for integers and floats to be the same acrossfsockopen
andcURL
, but will throw the newInvalidArgument
exception for any other type of unexpected input for the$data
parameter.Includes additional tests covering this change.