[HttpKernel] Check controllers are allowed when using the fallback surrogate strategy

nicolas-grekas · nicolas-grekas · commit 86898a6fe158 · 2023-11-08T18:56:05.000+01:00
diff --git a/src/Symfony/Component/HttpKernel/Fragment/AbstractSurrogateFragmentRenderer.php b/src/Symfony/Component/HttpKernel/Fragment/AbstractSurrogateFragmentRenderer.php
@@ -59,6 +59,8 @@ public function __construct(?SurrogateInterface $surrogate, FragmentRendererInte
     public function render(string|ControllerReference $uri, Request $request, array $options = []): Response
     {
         if (!$this->surrogate || !$this->surrogate->hasSurrogateCapability($request)) {
+            $request->attributes->set('_check_controller_is_allowed', -1); // @deprecated, switch to true in Symfony 7
+
             if ($uri instanceof ControllerReference && $this->containsNonScalars($uri->attributes)) {
                 throw new \InvalidArgumentException('Passing non-scalar values as part of URI attributes to the ESI and SSI rendering strategies is not supported. Use a different rendering strategy or pass scalar values.');
             }
diff --git a/src/Symfony/Component/HttpKernel/Fragment/InlineFragmentRenderer.php b/src/Symfony/Component/HttpKernel/Fragment/InlineFragmentRenderer.php
@@ -133,6 +133,9 @@ protected function createSubRequest(string $uri, Request $request)
         if ($request->attributes->has('_stateless')) {
             $subRequest->attributes->set('_stateless', $request->attributes->get('_stateless'));
         }
+        if ($request->attributes->has('_check_controller_is_allowed')) {
+            $subRequest->attributes->set('_check_controller_is_allowed', $request->attributes->get('_check_controller_is_allowed'));
+        }
 
         return $subRequest;
     }

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,8 @@ public function __construct(?SurrogateInterface $surrogate, FragmentRendererInte`
`59`	`59`	`public function render(string\|ControllerReference $uri, Request $request, array $options = []): Response`
`60`	`60`	`{`
`61`	`61`	`if (!$this->surrogate \|\| !$this->surrogate->hasSurrogateCapability($request)) {`
	`62`	`+ $request->attributes->set('_check_controller_is_allowed', -1); // @deprecated, switch to true in Symfony 7`
	`63`	`+`
`62`	`64`	`if ($uri instanceof ControllerReference && $this->containsNonScalars($uri->attributes)) {`
`63`	`65`	`throw new \InvalidArgumentException('Passing non-scalar values as part of URI attributes to the ESI and SSI rendering strategies is not supported. Use a different rendering strategy or pass scalar values.');`
`64`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -133,6 +133,9 @@ protected function createSubRequest(string $uri, Request $request)`
`133`	`133`	`if ($request->attributes->has('_stateless')) {`
`134`	`134`	`$subRequest->attributes->set('_stateless', $request->attributes->get('_stateless'));`
`135`	`135`	`}`
	`136`	`+ if ($request->attributes->has('_check_controller_is_allowed')) {`
	`137`	`+ $subRequest->attributes->set('_check_controller_is_allowed', $request->attributes->get('_check_controller_is_allowed'));`
	`138`	`+ }`
`136`	`139`
`137`	`140`	`return $subRequest;`
`138`	`141`	`}`