[HttpFoundation] Add parse_str()-based methods for query strings normalization

nicolas-grekas · nicolas-grekas · commit e98cdc37252e · 2018-02-19T15:41:44.000+01:00
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -524,9 +524,11 @@ public function __toString()
      */
     public function overrideGlobals()
     {
-        $this->server->set('QUERY_STRING', static::normalizeQueryString(http_build_query($this->query->all(), null, '&')));
+        $query = $this->query->all();
+        ksort($query);
+        $this->server->set('QUERY_STRING', http_build_query($query, null, '&', PHP_QUERY_RFC3986));
 
-        $_GET = $this->query->all();
+        $_GET = $query;
         $_POST = $this->request->all();
         $_SERVER = $this->server->all();
         $_COOKIE = $this->cookies->all();
@@ -656,6 +658,24 @@ public static function normalizeQueryString($qs)
         return implode('&', $parts);
     }
 
+    /**
+     * Normalizes a query string using `parse_str()`.
+     *
+     * It builds a normalized query string, where root-keys/value pairs are alphabetized,
+     * have consistent escaping and unneeded delimiters are removed.
+     */
+    public static function normalizeQueryStringForPhp(string $qs): string
+    {
+        if ('' == $qs) {
+            return '';
+        }
+
+        parse_str($qs, $qs);
+        ksort($qs);
+
+        return http_build_query($qs, '', '&', PHP_QUERY_RFC3986);
+    }
+
     /**
      * Enables support for the _method request parameter to determine the intended HTTP method.
      *
@@ -1032,6 +1052,20 @@ public function getUri()
         return $this->getSchemeAndHttpHost().$this->getBaseUrl().$this->getPathInfo().$qs;
     }
 
+    /**
+     * Generates a `parse_str()`-normalized URI (URL) for the Request.
+     *
+     * @see getQueryStringForPhp()
+     */
+    public function getUriForPhp(): string
+    {
+        if (null !== $qs = $this->getQueryStringForPhp()) {
+            $qs = '?'.$qs;
+        }
+
+        return $this->getSchemeAndHttpHost().$this->getBaseUrl().$this->getPathInfo().$qs;
+    }
+
     /**
      * Generates a normalized URI for the given path.
      *
@@ -1114,6 +1148,19 @@ public function getQueryString()
         return '' === $qs ? null : $qs;
     }
 
+    /**
+     * Generates the query string for the Request, using `parse_str()` it value.
+     *
+     * It builds a normalized query string, where root-keys/value pairs are alphabetized
+     * and have consistent escaping.
+     */
+    public function getQueryStringForPhp(): ?string
+    {
+        $qs = static::normalizeQueryStringForPhp($this->server->get('QUERY_STRING'));
+
+        return '' === $qs ? null : $qs;
+    }
+
     /**
      * Checks whether the request is secure or not.
      *
diff --git a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
@@ -696,6 +696,56 @@ public function getQueryStringNormalizationData()
             // Ignore pairs with empty key, even if there was a value, e.g. "=value", as such nameless values cannot be retrieved anyway.
             // PHP also does not include them when building _GET.
             array('foo=bar&=a=b&=x=y', 'foo=bar', 'removes params with empty key'),
+
+            // Also reorder nested query string keys
+            array('foo[]=Z&foo[]=A', 'foo%5B%5D=A&foo%5B%5D=Z', 'reorders values'),
+            array('foo[Z]=B&foo[A]=B', 'foo%5BA%5D=B&foo%5BZ%5D=B', 'reorders keys'),
+
+            array('utf8=✓', 'utf8=%E2%9C%93', 'encodes UTF-8'),
+        );
+    }
+
+    /**
+     * @dataProvider getQueryStringNormalizationDataForPhp
+     */
+    public function testGetQueryStringForPhp($query, $expectedQuery, $msg)
+    {
+        $request = new Request();
+
+        $request->server->set('QUERY_STRING', $query);
+        $this->assertSame($expectedQuery, $request->getQueryStringForPhp(), $msg);
+    }
+
+    public function getQueryStringNormalizationDataForPhp()
+    {
+        return array(
+            array('foo', 'foo=', 'works with valueless parameters'),
+            array('foo=', 'foo=', 'includes a dangling equal sign'),
+            array('bar=&foo=bar', 'bar=&foo=bar', '->works with empty parameters'),
+            array('foo=bar&bar=', 'bar=&foo=bar', 'sorts keys alphabetically'),
+
+            // GET parameters, that are submitted from a HTML form, encode spaces as "+" by default (as defined in enctype application/x-www-form-urlencoded).
+            // PHP also converts "+" to spaces when filling the global _GET or when using the function parse_str.
+            array('him=John%20Doe&her=Jane+Doe', 'her=Jane%20Doe&him=John%20Doe', 'normalizes spaces in both encodings "%20" and "+"'),
+
+            array('foo[]=1&foo[]=2', 'foo%5B0%5D=1&foo%5B1%5D=2', 'allows array notation'),
+            array('foo=1&foo=2', 'foo=2', 'merges repeated parameters'),
+            array('pa%3Dram=foo%26bar%3Dbaz&test=test', 'pa%3Dram=foo%26bar%3Dbaz&test=test', 'works with encoded delimiters'),
+            array('0', '0=', 'allows "0"'),
+            array('Jane Doe&John%20Doe', 'Jane_Doe=&John_Doe=', 'normalizes encoding in keys'),
+            array('her=Jane Doe&him=John%20Doe', 'her=Jane%20Doe&him=John%20Doe', 'normalizes encoding in values'),
+            array('foo=bar&&&test&&', 'foo=bar&test=', 'removes unneeded delimiters'),
+            array('formula=e=m*c^2', 'formula=e%3Dm%2Ac%5E2', 'correctly treats only the first "=" as delimiter and the next as value'),
+
+            // Ignore pairs with empty key, even if there was a value, e.g. "=value", as such nameless values cannot be retrieved anyway.
+            // PHP also does not include them when building _GET.
+            array('foo=bar&=a=b&=x=y', 'foo=bar', 'removes params with empty key'),
+
+            // Don't reorder nested query string keys
+            array('foo[]=Z&foo[]=A', 'foo%5B0%5D=Z&foo%5B1%5D=A', 'keeps order of values'),
+            array('foo[Z]=B&foo[A]=B', 'foo%5BZ%5D=B&foo%5BA%5D=B', 'keeps order of keys'),
+
+            array('utf8=✓', 'utf8=%E2%9C%93', 'encodes UTF-8'),
         );
     }
 
