Response\Headers: add input validation + more defensive coding #605
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds input validation to the `getValues()` and `flatten()` methods in the `Response\Headers` class.
* The `getValues()` method is only set up to handle integer/string array keys, so should not accept any other type of array key.
* The `flatten()` method is set up to only handle string or array values to flatten, so should not accept any other type of value.
Throwing the exception constitutes a BC-break as previously non-string, non-array values would be returned as-is, while now an exception will be thrown. All the same, in those cases, the return type would previously not comply with the documented behaviour of the method, so this could be considered a bug fix.
As for the other methods:
* The `public` ArrayAccess/ArrayIterator methods should not need additional input validation as they should not be called directly, but only indirectly and when called that way, will receive the correct input type.
Includes adding perfunctory tests for the added input validation and for the `flatten()` method in general.
The `Response\Headers` class extends the `CaseInsensitiveDictionary`. In the second commit of PR 558, extra defensive coding was added to the `offsetGet()` and `offsetSet()` methods to prevent passing non-string keys to the PHP native `strtolower()` method. As per the commit message of that commit: > The use of `strtolower()` on non-string keys, is 1) not necessary and 2) had side-effects when non-string keys were used as those were then cast to string... > > While this class is intended to be used with requests headers, the class in itself is not limited to this use-case, so should function as per the specifications, independently of the use-case. This commit applies the same fixes to the `Response\Headers::offsetGet()` and `Response\Headers::offsetSet()` methods. Includes adding unit tests covering the changes.
schlessera
approved these changes
Nov 8, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Class Response\Headers: add input validation
This commit adds input validation to the
getValues()andflatten()methods in theResponse\Headersclass.getValues()method is only set up to handle integer/string array keys, so should not accept any other type of array key.flatten()method is set up to only handle string or array values to flatten, so should not accept any other type of value.Throwing the exception constitutes a BC-break as previously non-string, non-array values would be returned as-is, while now an exception will be thrown. All the same, in those cases, the return type would previously not comply with the documented behaviour of the method, so this could be considered a bug fix.
As for the other methods:
publicArrayAccess/ArrayIterator methods should not need additional input validation as they should not be called directly, but only indirectly and when called that way, will receive the correct input type.Includes adding perfunctory tests for the added input validation and for the
flatten()method in general.Response\Headers: add more defensive coding
The
Response\Headersclass extends theCaseInsensitiveDictionary. In the second commit of PR #558, extra defensive coding was added to theoffsetGet()andoffsetSet()methods to prevent passing non-string keys to the PHP nativestrtolower()method.As per the commit message of that commit:
This commit applies the same fixes to the
Response\Headers::offsetGet()andResponse\Headers::offsetSet()methods.Includes adding unit tests covering the changes.