don't pass the http scheme and host as the uri is signed without it #8950
Conversation
|
I think that it would be better to include the scheme and the host in the signature. Also, we do need some tests. Last but not the least, can you squash your commit and avoid merge commits? |
|
Ok, so I'll try to add the scheme and host to the signed signature instead. I was wondering how to squash the commits or how that worked. I couldn't seem to do a pull request for a single commit but I'm a git/github newbie. |
|
Digging in a bit more I see there are tests for this, however the tests are pretty simple in that they instantiate a request object (including the http scheme and host) but I don't actually know where the uri is signed on the render_hinclude code path. Grepping the source gets me only the src/Symfony/Bridge/Twig/CHANGELOG.md reference... |
|
So digging further you can ignore this pull request and simply make the following changes. Looking at the tests this behaviour matches what the tests are testing for, and I've tested this as well on a live site and it seems to work there. In src/Symfony/Component/HttpKernel/Fragment/HIncludeFragmentRenderer.php change line 83 to pass a third argument of true so $uri = $this->signer->sign($this->generateFragmentUri($uri, $request, true)); |
|
I've generated a proper pull request so will now close this. The proper pull request is #8951 |
Recently I started getting AccessDeniedHttpException from templates using render_hinclude. The reason is that the hash is signed without the http scheme or host. This change allows for the hinclude to work. I don't know if there are some tests that need to be written or if it would be better if the signer should include the scheme and host.