Fixed `yii\filters\VerbFilter` uses case-insensitive comparison for the HTTP method name

7 years ago · 89c14b7dea
3 changed files with 68 additions and 3 deletions
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@ -4,6 +4,7 @@ Yii Framework 2 Change Log
 2.1.0 under development
 -----------------------

+- Bug #14458: Fixed `yii\filters\VerbFilter` uses case-insensitive comparison for the HTTP method name (klimov-paul)
 - Enh #879: Caching implementation refactored according to PSR-16 'Simple Cache' specification (klimov-paul)
 - Enh #11328: Added support for PSR-7 'HTTP Message' (klimov-paul)
 - Enh #13799: CAPTCHA rendering logic extracted into `yii\captcha\DriverInterface`, which instance is available via `yii\captcha\CaptchaAction::$driver` field (vladis84, klimov-paul)
--- a/framework/filters/VerbFilter.php
+++ b/framework/filters/VerbFilter.php
@ -89,15 +89,14 @@ class VerbFilter extends Behavior
    {
        $action = $event->action->id;
        if (isset($this->actions[$action])) {
-            $verbs = $this->actions[$action];
+            $allowed = $this->actions[$action];
        } elseif (isset($this->actions['*'])) {
-            $verbs = $this->actions['*'];
+            $allowed = $this->actions['*'];
        } else {
            return $event->isValid;
        }

        $verb = Yii::$app->getRequest()->getMethod();
-        $allowed = array_map('strtoupper', $verbs);
        if (!in_array($verb, $allowed)) {
            $event->isValid = false;
            // https://tools.ietf.org/html/rfc2616#section-14.7
--- a/tests/framework/filters/VerbFilterTest.php
+++ b/tests/framework/filters/VerbFilterTest.php
@ -0,0 +1,65 @@
+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yiiunit\framework\filters;
+
+use Yii;
+use yii\base\Action;
+use yii\base\ActionEvent;
+use yii\filters\VerbFilter;
+use yii\web\Controller;
+use yii\web\MethodNotAllowedHttpException;
+use yii\web\Request;
+use yiiunit\TestCase;
+
+/**
+ * @group filters
+ */
+class VerbFilterTest extends TestCase
+{
+    protected function setUp()
+    {
+        parent::setUp();
+
+        $_SERVER['SCRIPT_FILENAME'] = '/index.php';
+        $_SERVER['SCRIPT_NAME'] = '/index.php';
+
+        $this->mockWebApplication();
+    }
+
+    public function testFilter()
+    {
+        $request = new Request();
+        $this->mockWebApplication([
+            'components' => [
+                'request' => $request
+            ],
+        ]);
+        $controller = new Controller('id', Yii::$app);
+        $action = new Action('test', $controller);
+        $filter = new VerbFilter([
+            'actions' => [
+                '*' => ['GET', 'POST', 'Custom'],
+            ]
+        ]);
+
+        $event = new ActionEvent($action);
+
+        $request->setMethod('GET');
+        $this->assertTrue($filter->beforeAction($event));
+
+        $request->setMethod('CUSTOM');
+
+        try {
+            $filter->beforeAction($event);
+        } catch (MethodNotAllowedHttpException $exception) {
+        }
+
+        $this->assertTrue(isset($exception));
+        $this->assertEquals(['GET, POST, Custom'], Yii::$app->response->getHeader('Allow'));
+    }
+}