[HttpKernel] Ensure HttpCache::getTraceKey() does not throw exception

lyrixx · lyrixx · commit 7566856e48c6 · 2024-11-19T10:11:43.000+01:00
diff --git a/src/Symfony/Component/HttpKernel/HttpCache/HttpCache.php b/src/Symfony/Component/HttpKernel/HttpCache/HttpCache.php
@@ -17,6 +17,7 @@
 
 namespace Symfony\Component\HttpKernel\HttpCache;
 
+use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
@@ -715,7 +716,11 @@ private function getTraceKey(Request $request): string
             $path .= '?'.$qs;
         }
 
-        return $request->getMethod().' '.$path;
+        try {
+            return $request->getMethod().' '.$path;
+        } catch (SuspiciousOperationException) {
+            return '_INVALID_ '.$path;
+        }
     }
 
     /**
diff --git a/src/Symfony/Component/HttpKernel/Tests/HttpCache/HttpCacheTest.php b/src/Symfony/Component/HttpKernel/Tests/HttpCache/HttpCacheTest.php
@@ -61,6 +61,17 @@ public function testPassesOnNonGetHeadRequests()
         $this->assertFalse($this->response->headers->has('Age'));
     }
 
+    public function testPassesSuspiciousMethodRequests()
+    {
+        $this->setNextResponse(200);
+        $this->request('POST', '/', ['HTTP_X-HTTP-Method-Override' => '__CONSTRUCT']);
+        $this->assertHttpKernelIsCalled();
+        $this->assertResponseOk();
+        $this->assertTraceNotContains('stale');
+        $this->assertTraceNotContains('invalid');
+        $this->assertFalse($this->response->headers->has('Age'));
+    }
+
     public function testInvalidatesOnPostPutDeleteRequests()
     {
         foreach (['post', 'put', 'delete'] as $method) {
