The purpose of the http verbs interfaces
https://magento.stackexchange.com/questions/257957
-
14-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
In Magento 2.3 there are some interfaces for all the http verbs
Magento\Framework\App\Action\HttpPostActionInterfaceMagento\Framework\App\Action\HttpGetActionInterface,- ...
All of them are empty and implement Magento\Framework\App\ActionInterface.
I also found that all of them are mapped in app/etc/di.xml to a parameter of Magento\Framework\App\Request\HttpMethodMap and a lot of the controllers implement these interfaces.
But not all controllers.
That's all I could find about them.
What's their purpose?
Solution
It's to improve the way controllers handle their validation I believe. We've had quite a few SUPEE patches fixing things like form key validation being bypassed by it being a GET request or similar. This method should help prevent them outright.
To improve security and logistics we need to allow limiting Actions to processing only requests with certain HTTP methods and add those limitations to as many existing Actions as possible. There are many vulnerabilities caused by actions processing both GET and POST requests and thus allowing bypassing security validations like form key validation. Also limiting actions to processing only requests with certain methods would serve as self-documentation for Action classes and improve consistency of server side for client code and functional tests.
