Create README.md

no

Symfony version(s) affected

6.2.3

Description

list<Type> annotation in phpstan and psalm are

Lists are arrays with sequential integer keys starting at 0.

But when annotating an array like this, the deserializer (and I fear also the propertyinfo component) does not distinguish between a list and a generic array (Type[] / array<Type>). It enforces in both cases that the array indexes are integers. But it does not check that the result is an array_is_list in the list case.

So this means that you can actually deserialize a json object with integer keys instead of an actual json array and you will get a deserialized object where the array indexes are not sequential starting at 0.

How to reproduce

• Annotate an array with list<string>
• Try to deserialze a json object with with non-sequential integer keys json_encode([5 => 'foo', 1 => 'bar']) which should fail

Possible Solution

• Better solution: Validate the incoming array with array_is_list so it's not allowed to deserialize a json object into an list
• Worse solution: use array_values at the end to ensure the resulting array is valid according to the annotated type

Additional Context

No response

The $param is typed int. So if the routing param does not fit into an int, PHP will throw a TypeError. This in turn would trigger an 500 internal server error. So by requesting a too big page, e.g. /de/blog/page/147483647147483647147483647, one can trigger internal errors which should not be possible.

I don't think there is an easy solution to this general problem that Symfony could automatically provide. So the best solution seems to be to limit the size of the routing placeholder. With this limit the page will always fit into an int even on a 32-bit platform.