yii2: yii\filters\VerbFilter violates HTTP 1.1 spec
https://tools.ietf.org/html/rfc7230#section-3.1.1
The method token indicates the request method to be performed on the target resource. The request method is case-sensitive.
https://tools.ietf.org/html/rfc7231#section-4
±--------±------------------------------------------------±------+ | Method | Description | Sec. | ±--------±------------------------------------------------±------+ | GET | Transfer a current representation of the target | 4.3.1 | | | resource. | | | HEAD | Same as GET, but only transfer the status line | 4.3.2 | | | and header section. | | | POST | Perform resource-specific processing on the | 4.3.3 | | | request payload. | | | PUT | Replace all current representations of the | 4.3.4 | | | target resource with the request payload. | | | DELETE | Remove all current representations of the | 4.3.5 | | | target resource. | | | CONNECT | Establish a tunnel to the server identified by | 4.3.6 | | | the target resource. | | | OPTIONS | Describe the communication options for the | 4.3.7 | | | target resource. | | | TRACE | Perform a message loop-back test along the path | 4.3.8 | | | to the target resource. | | ±--------±------------------------------------------------±------+
yii\filters\VerbFilter class violates HTTP 1.1 spec by assuming that HTTP method names are case-insensitive as a result preventing the use of distinct and valid custom methods such as ‘get’, ‘Get’ (distinct from standard method ‘GET’), etc.
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 24 (23 by maintainers)
🤦 You’re really overreacting here. All proper requests with standard HTTP method are handling properly. And if you want to have
putandPUTmethods that works differently, you’re just asking for trouble - it is good that Yii does not allow you to do that.There is only one way to find out. 😈
I’ve reviewed about 10 apps this year and all of them used lowercase method names.
These will be suddenly broken after minor update and implications could be really serious including security issues.
Overall, I’m OK requiring uppercase methods in 2.1 but doubt it’s a good change for 2.0.
I am not saying that Yii should not follow the standard, but as it currently does not, changing it will break a lot of applications and therefore we need to weigth the practial application of non-uppercase HTTP methods vs. breaking existing applications. I currently do not see the need to break anything in 2.0.x. We can adjust it in 2.1 to be compatible.
Please share the link to the Symfony issue with your report, I’m curious how this will be handled. Also remember to report similar to the Laravel.
That’s not the point. The point is that many apps will be broken for sure. Following the spec if fine but breaking many existing apps in minor version intentionally for the sake of formal compliance and nothing else is not.
In this case we know exactly that apps will be broken. The right thing to do in this case is to use 2.1 tag to release it where intentional breaks are totally fine. Of course, we sometimes introducing intentional breaks in 2.0 but these are for things concerning security mostly which could not be avoided.
Right. Not in this case.
I do agree with @PowerGamer1 on this one, while those 10 applications @samdark reviewed used lower case, how many do not? It’s a problem I see all the time with Yii2 applications, yii2 doesn’t follow standards ( PSR or otherwise ) so why should the users of the framework?