From e468a34024d5c5b8fa10d55187ff4a33df05aa46 Mon Sep 17 00:00:00 2001 From: soyuka Date: Fri, 5 Jun 2026 14:06:25 +0200 Subject: [PATCH] fix(state): guard hex2bin against malformed query parameter keys When a query string contains unclosed brackets with multibyte or non-hex bytes (e.g. `?y%5B%C2%9D=`), parse_str() mangles the hex-encoded key into a value hex2bin() cannot decode, triggering an E_WARNING that Symfony's debug error handler converts into a 500. Pre-check the key shape and pass mangled keys through verbatim. Closes #8250 Co-authored-by: Wietse Warendorff <313525+wietsewarendorff@users.noreply.github.com> --- src/State/Tests/Util/RequestParserTest.php | 3 +++ src/State/Util/RequestParser.php | 7 ++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/State/Tests/Util/RequestParserTest.php b/src/State/Tests/Util/RequestParserTest.php index 40e0ea0f5d8..b8e37e18e00 100644 --- a/src/State/Tests/Util/RequestParserTest.php +++ b/src/State/Tests/Util/RequestParserTest.php @@ -42,6 +42,9 @@ public static function parseRequestParamsProvider(): array // urlencoded [] (square brackets) in query string. ['a%5B1%5D=%2525', ['a' => ['1' => '%25']]], + + ['y%5B%C2%9D=', ['79_'."\xC2\x9D" => '']], + ['z%5Bg=', ['7a_g' => '']], ]; } } diff --git a/src/State/Util/RequestParser.php b/src/State/Util/RequestParser.php index 4ac1018ea95..e83acf9e7f4 100644 --- a/src/State/Util/RequestParser.php +++ b/src/State/Util/RequestParser.php @@ -51,7 +51,12 @@ public static function parseRequestParams(string $source): array // parse_str urldecodes both keys and values in resulting array. parse_str($source, $params); - return array_combine(array_map('hex2bin', array_keys($params)), $params); + $keys = array_map( + static fn (string $key): string => preg_match('/\A(?:[0-9a-f]{2})+\z/', $key) ? hex2bin($key) : $key, + array_keys($params), + ); + + return array_combine($keys, $params); } /**