Do not imply having parsed the request body

Strictly follow the PSR-7 guidance where $_POST is used for a request’s parsed body only for very specific requests. All other requests should result in a null value and leave other parsing up to application logic.
Nyholm · Feb 3, 2019 · f39c4b8 · f39c4b8
1 parent 4d03768
commit f39c4b8
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/src/ServerRequestCreator.php b/src/ServerRequestCreator.php
@@ -51,13 +51,18 @@ public function fromGlobals(): ServerRequestInterface
 
         $headers = \function_exists('getallheaders') ? getallheaders() : static::getHeadersFromServer($_SERVER);
 
-        return $this->fromArrays($server, $headers, $_COOKIE, $_GET, $_POST, $_FILES, \fopen('php://input', 'r') ?: null);
+        $post = null;
+        if ('POST' === $this->getMethodFromEnv($server) && \in_array($headers['content-type'], ['application/x-www-form-urlencoded', 'multipart/form-data'])) {
+            $post = $_POST;
+        }
+
+        return $this->fromArrays($server, $headers, $_COOKIE, $_GET, $post, $_FILES, \fopen('php://input', 'r') ?: null);
     }
 
     /**
      * {@inheritdoc}
      */
-    public function fromArrays(array $server, array $headers = [], array $cookie = [], array $get = [], array $post = [], array $files = [], $body = null): ServerRequestInterface
+    public function fromArrays(array $server, array $headers = [], array $cookie = [], array $get = [], array $post = null, array $files = [], $body = null): ServerRequestInterface
     {
         $method = $this->getMethodFromEnv($server);
         $uri = $this->getUriFromEnvWithHTTP($server);

diff --git a/src/ServerRequestCreatorInterface.php b/src/ServerRequestCreatorInterface.php
@@ -31,7 +31,7 @@ public function fromGlobals(): ServerRequestInterface;
      * @param array                                $headers typically the output of getallheaders() or similar structure
      * @param array                                $cookie  typically $_COOKIE or similar structure
      * @param array                                $get     typically $_GET or similar structure
-     * @param array                                $post    typically $_POST or similar structure
+     * @param array|null                           $post    typically $_POST or similar structure, represents parsed request body
      * @param array                                $files   typically $_FILES or similar structure
      * @param StreamInterface|resource|string|null $body    Typically stdIn
      *
@@ -42,7 +42,7 @@ public function fromArrays(
         array $headers = [],
         array $cookie = [],
         array $get = [],
-        array $post = [],
+        array $post = null,
         array $files = [],
         $body = null
     ): ServerRequestInterface;