[HttpFoundation] Add Request::set/getAllowedHttpMethodOverride() to list which HTTP methods can be overridden
#61979
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fabpot
reviewed
Oct 7, 2025
nicolas-grekas
force-pushed
the
hf-list-verbs-override
branch
3 times, most recently
from
93d5adf to
ff33c15
Compare
nicolas-grekas
changed the title
Request::$allowedHttpMethodOverride to list which HTTP methods can be overriddenRequest::set/getAllowedHttpMethodOverride() to list which HTTP methods can be overridden
nicolas-grekas
force-pushed
the
hf-list-verbs-override
branch
from
ff33c15 to
4704a8e
Compare
stof
reviewed
Oct 8, 2025
nicolas-grekas
force-pushed
the
hf-list-verbs-override
branch
3 times, most recently
from
a7f5d06 to
eac4c7c
Compare
…ich HTTP methods can be overridden
nicolas-grekas
force-pushed
the
hf-list-verbs-override
branch
from
eac4c7c to
a4f51c9
Compare
mtarld
approved these changes
Oct 9, 2025
nicolas-grekas
commented
Oct 9, 2025
| } | ||
| $container->parameterCannotBeEmpty('kernel.secret', 'A non-empty value for the parameter "kernel.secret" is required. Did you forget to configure the '.$emptySecretHint.'?'); | ||
|
|
||
| $container->setParameter('kernel.http_method_override', $config['http_method_override']); |
Member
Author
There was a problem hiding this comment.
Not that this naming is quite unfortunate as it's confusing: the setting is only about allowing the use of the _method parameter. Overriding using the header is always available.
A better name would have been enable_http_method_override_parameter, like the name of the corresponding static method. In case anyone wants to follow up in another PR (deprecating the option, the parameter, BC/FC layer, etc.).
fabpot
approved these changes
Oct 10, 2025
Member
|
Thank you @nicolas-grekas. |
xabbuh
reviewed
Oct 10, 2025
| } | ||
|
|
||
| if (null !== $allowedHttpMethodOverride) { | ||
| $container->getDefinition('http_cache') |
Member
Author
There was a problem hiding this comment.
Git blame tells me its for configuring this before httpcache is created, which can happen super early before bundles are initialized
Member
This was referenced Oct 27, 2025
Merged
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This feature addresses https://github.com/symfony/symfony/pull/61949/files#r2402280654 and hardens HttpFoundation by giving control over which HTTP methods can be overridden:
Providing no method disables verb tunneling altogether:
Request::setAllowedHttpMethodOverride([]);This setting can be set using standard Symfony configuration:
2 implementations note: