Description
- Laravel Version: Since 4.2, still affects the latest version
- PHP Version: n/a
- Database Driver & Version: n/a
Description:
Within createFromBase the request parameter bag is set to the result of getInputSource. This can be POST form data, JSON request data or query parameters from a GET request. This behaviour dates way back and was introduced in #7052. It looks like the main goal of that PR was designed to make sure $request->request was filled with JSON data from the request.
But surely query parameters should never end up in the $request->request bag. The documentation on the base Symfony Request class is:
/**
* Request body parameters ($_POST).
*
* @var \Symfony\Component\HttpFoundation\ParameterBag
*/
public $request;
I'm less clear about whether GET requests with JSON payloads should end up in the $request->request bag? My feeling is they probably shouldn't, but the PR above (#7052) was made to enable such functionality.
I discovered this because I had some code designed for the base Symfony request that assumed data coming out of $request->request must have been received via a POST request (and so would be csrf protected). Yes, I should explicitly check the request type and now do. But I was certainly surprised to find query parameters in that bag.
Steps To Reproduce:
Within a GET request with query parameters, dd($request->request->all());