Remove injecting query parameters and POST parameters in controllers as it's risky and can break an application easily (if users pass any query/post parameter they want)

mnapoli · mnapoli · commit 5a97b972873a · 2015-07-31T10:51:13.000+02:00
diff --git a/src/Controller/ControllerResolver.php b/src/Controller/ControllerResolver.php
@@ -36,7 +36,7 @@ public function getController(Request $request)
             $parameters = [
                 'request' => $request,
             ];
-            $parameters += $request->attributes->all() + $request->request->all() + $request->query->all();
+            $parameters += $request->attributes->all();
 
             return $this->invoker->call($controller, $parameters);
         };
diff --git a/tests/FunctionalTest.php b/tests/FunctionalTest.php
@@ -62,34 +62,6 @@ public function should_pass_url_placeholders()
         $this->assertEquals('Hello john', $response->getContent());
     }
 
-    /**
-     * @test
-     */
-    public function should_pass_query_parameters()
-    {
-        $app = $this->createApplication();
-
-        $app->get('/', ['DI\Bridge\Silex\Test\Fixture\Controller', 'hello']);
-
-        $response = $app->handle(Request::create('/?name=john'));
-        $this->assertEquals('Hello john', $response->getContent());
-    }
-
-    /**
-     * @test
-     */
-    public function should_pass_post_data()
-    {
-        $app = $this->createApplication();
-
-        $app->post('/', ['DI\Bridge\Silex\Test\Fixture\Controller', 'hello']);
-
-        $response = $app->handle(Request::create('/', 'POST', [
-            'name' => 'john',
-        ]));
-        $this->assertEquals('Hello john', $response->getContent());
-    }
-
     /**
      * @test
      */
