Skip to content

fix(state): guard hex2bin against malformed query parameter keys#8255

Merged
soyuka merged 1 commit into
api-platform:4.3from
soyuka:fix/state-hex2bin-malformed-query
Jun 5, 2026
Merged

fix(state): guard hex2bin against malformed query parameter keys#8255
soyuka merged 1 commit into
api-platform:4.3from
soyuka:fix/state-hex2bin-malformed-query

Conversation

@soyuka
Copy link
Copy Markdown
Member

@soyuka soyuka commented Jun 5, 2026

Summary

Supersedes #8250 (kept author credit via Co-authored-by).

When a query string contains unclosed brackets with multibyte or non-hex bytes (e.g. ?y%5B%C2%9D=), parse_str() mangles the hex-encoded key into a value hex2bin() cannot decode. PHP emits an E_WARNING which Symfony's debug error handler converts into a 500.

Change

Pre-check key shape with a single regex (/\A(?:[0-9a-f]{2})+\z/) before calling hex2bin(). Mangled keys pass through verbatim — no warning, no crash, no silent empty-key collision.

Differences vs #8250:

  • Single regex check instead of strlen % 2 + strspn (no double \strlen call, no duplicated hex validation)
  • Two test cases instead of one: covers both the multibyte (?y%5B%C2%9D=) and the even-length-non-hex (?z%5Bg=) branches independently

Test plan

  • vendor/bin/phpunit src/State/Tests/Util/RequestParserTest.php — 6/6 green
  • Both new entries fail with '' (silent empty-key) on main before fix
  • All 4 pre-existing entries still pass

Closes #8250

@soyuka soyuka mentioned this pull request Jun 5, 2026
Closed
@soyuka soyuka changed the base branch from main to 4.3 June 5, 2026 12:39
@soyuka @wietsewarendorff
fix(state): guard hex2bin against malformed query parameter keys
e468a34 
When a query string contains unclosed brackets with multibyte or non-hex
bytes (e.g. `?y%5B%C2%9D=`), parse_str() mangles the hex-encoded key
into a value hex2bin() cannot decode, triggering an E_WARNING that
Symfony's debug error handler converts into a 500. Pre-check the key
shape and pass mangled keys through verbatim.

Closes api-platform#8250

Co-authored-by: Wietse Warendorff <313525+wietsewarendorff@users.noreply.github.com>
@soyuka soyuka force-pushed the fix/state-hex2bin-malformed-query branch from acc1329 to e468a34 Compare June 5, 2026 12:40
@soyuka soyuka merged commit 86a09b3 into api-platform:4.3 Jun 5, 2026
112 checks passed
@soyuka soyuka deleted the fix/state-hex2bin-malformed-query branch June 5, 2026 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@soyuka