fix(state): guard hex2bin against malformed query parameter keys (#8255)

soyuka · wietsewarendorff · web-flow · commit 86a09b3c35d7 · 2026-06-05T17:16:47.000+02:00
Co-authored-by: Wietse Warendorff <313525+wietsewarendorff@users.noreply.github.com> Closes #8250
diff --git a/src/State/Tests/Util/RequestParserTest.php b/src/State/Tests/Util/RequestParserTest.php
@@ -42,6 +42,9 @@ public static function parseRequestParamsProvider(): array
 
             // urlencoded [] (square brackets) in query string.
             ['a%5B1%5D=%2525', ['a' => ['1' => '%25']]],
+
+            ['y%5B%C2%9D=', ['79_'."\xC2\x9D" => '']],
+            ['z%5Bg=', ['7a_g' => '']],
         ];
     }
 }
diff --git a/src/State/Util/RequestParser.php b/src/State/Util/RequestParser.php
@@ -51,7 +51,12 @@ public static function parseRequestParams(string $source): array
         // parse_str urldecodes both keys and values in resulting array.
         parse_str($source, $params);
 
-        return array_combine(array_map('hex2bin', array_keys($params)), $params);
+        $keys = array_map(
+            static fn (string $key): string => preg_match('/\A(?:[0-9a-f]{2})+\z/', $key) ? hex2bin($key) : $key,
+            array_keys($params),
+        );
+
+        return array_combine($keys, $params);
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,9 @@ public static function parseRequestParamsProvider(): array`
`42`	`42`
`43`	`43`	`// urlencoded [] (square brackets) in query string.`
`44`	`44`	`['a%5B1%5D=%2525', ['a' => ['1' => '%25']]],`
	`45`	`+`
	`46`	`+ ['y%5B%C2%9D=', ['79_'."\xC2\x9D" => '']],`
	`47`	`+ ['z%5Bg=', ['7a_g' => '']],`
`45`	`48`	`];`
`46`	`49`	`}`
`47`	`50`	`}`