Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[HttpClient] Replace escapeshellarg to prevent overpassing ARG_MAX #52429

Merged
merged 1 commit into from
Nov 3, 2023
Merged

[HttpClient] Replace escapeshellarg to prevent overpassing ARG_MAX #52429

merged 1 commit into from
Nov 3, 2023
+21 −50

Conversation

alexandre-daubois
Copy link
Member

@alexandre-daubois alexandre-daubois commented Nov 2, 2023
edited
Loading

Q A
Branch? 6.3
Bug fix? yes
New feature? no
Deprecations? no
Issues Fix #49693
License MIT

I'm not 100% sure if it is a bugfix or a feature.

I used Nicolas' suggestion in the issue to sanitize the input and used --data-raw to avoid any automatic formatting.

Removing the use of escapeshellarg() also allows to remove HttpClientDataCollectorTest::testItDoesNotGeneratesCurlCommandsForNotEncodableBody(). Indeed, the body can now be encoded and will result on the following cURL command:

curl \\n
      --compressed \\n
      --request POST \\n
      --url 'http://localhost:8057/json' \\n
      --header 'Accept: */*' \\n
      --header 'Content-Length: 1' \\n
      --header 'Content-Type: application/x-www-form-urlencoded' \\n
      --header 'Accept-Encoding: gzip' \\n
      --header 'User-Agent: Symfony HttpClient (Native)' \\n
      --data-raw '\x00'

@carsonbot carsonbot added this to the 6.3 milestone Nov 2, 2023
@alexandre-daubois alexandre-daubois force-pushed the httpclientdatadecorator-argmax branch 3 times, most recently from 88259df to d8be8f5 Compare November 3, 2023 09:16
@alexandre-daubois
Copy link
Member Author

alexandre-daubois commented Nov 3, 2023
edited
Loading

@nicolas-grekas I really like your idea of leveraging Process. I updated the code to use it first if it exists.

nicolas-grekas
nicolas-grekas approved these changes Nov 3, 2023
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after minor changes

src/Symfony/Component/HttpClient/DataCollector/HttpClientDataCollector.php Outdated
{
return \strlen($payload) < ('\\' === \DIRECTORY_SEPARATOR ? 8100 : 256000);
if (class_exists(Process::class)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (class_exists(Process::class)) {
static $useProcess;
if ($useProcess ??= class_exists(Process::class)) {

Copy link
Member Author

@alexandre-daubois alexandre-daubois Nov 3, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I addressed your comments, thanks 🙂

src/Symfony/Component/HttpClient/DataCollector/HttpClientDataCollector.php Outdated
return null;
}
$dataArg[] = '--data '.escapeshellarg($payload);
$dataArg[] = '--data-raw '.$this->sanitizeArg(self::jsonEncode($json));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't sanitize, we escape

src/Symfony/Component/HttpClient/DataCollector/HttpClientDataCollector.php Outdated
return (new Process([$payload]))->getCommandLine();
}

if (\DIRECTORY_SEPARATOR === '\\') {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (\DIRECTORY_SEPARATOR === '\\') {
if ('\\' === \DIRECTORY_SEPARATOR) {

@alexandre-daubois alexandre-daubois force-pushed the httpclientdatadecorator-argmax branch from d8be8f5 to 3b0bb11 Compare November 3, 2023 13:24
@fabpot
Copy link
Member

fabpot commented Nov 3, 2023

Thank you @alexandre-daubois.

@fabpot fabpot merged commit e8ce12a into symfony:6.3 Nov 3, 2023
@alexandre-daubois alexandre-daubois deleted the httpclientdatadecorator-argmax branch November 3, 2023 19:04
@MatTheCat MatTheCat mentioned this pull request Nov 6, 2023
Merged
nicolas-grekas added a commit that referenced this pull request Nov 6, 2023
@nicolas-grekas
bug #52472 [HttpClient][WebProfilerBundle] Do not generate cURL comma…
b8bba36 
…nd when files are uploaded (MatTheCat)

This PR was merged into the 6.3 branch.

Discussion
----------

[HttpClient][WebProfilerBundle] Do not generate cURL command when files are uploaded

| Q             | A
| ------------- | ---
| Branch?       | 6.3
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | Fix #51366
| License       | MIT

I also removed ``@requires` extension openssl` annotations since that does not seem to be the case since #45729.

Failures in AppVeyor occur because double quotes are missing around `--data-raw` values. Possibly related to #52429.

Commits
-------

4503f94 [HttpClient][WebProfilerBundle] Do not generate cURL command when files are uploaded
This was referenced Nov 10, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stof stof

@fabpot fabpot

@nicolas-grekas nicolas-grekas

Assignees
No one assigned
Labels
Bug HttpClient Status: Reviewed
Projects
None yet
Milestone
6.3
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@alexandre-daubois @fabpot @nicolas-grekas @stof @carsonbot