RequestFactory: throws exception on invalid $_POST/$_COOKIE data

Author: dg

src/Http/RequestFactory.php

@@ -157,8 +157,11 @@ private function getGetPostCookie(Url $url): array
 						$list[$key][$k] = $v;
 						$list[] = &$list[$key][$k];
 
-					} else {
+					} elseif (is_string($v)) {
 						$list[$key][$k] = (string) preg_replace('#[^' . self::CHARS . ']+#u', '', $v);
+
+					} else {
+						throw new Nette\InvalidStateException(sprintf('Invalid value in $_POST/$_COOKIE in key %s, expected string, %s given.', "'$k'", gettype($v)));
 					}
 				}
 			}

tests/Http/Request.invalidType.phpt

@@ -0,0 +1,34 @@
+<?php
+
+/**
+ * Test: Nette\Http\Request invalid data.
+ */
+
+declare(strict_types=1);
+
+use Nette\Http;
+use Tester\Assert;
+
+
+require __DIR__ . '/../bootstrap.php';
+
+
+test('invalid POST', function () {
+	$_POST = [
+		'int' => 1,
+	];
+
+	Assert::exception(function () {
+		(new Http\RequestFactory)->fromGlobals();
+	}, Nette\InvalidStateException::class, 'Invalid value in $_POST/$_COOKIE in key \'int\', expected string, integer given.');
+});
+
+
+test('invalid COOKIE', function () {
+	$_POST = [];
+	$_COOKIE = ['x' => [1]];
+
+	Assert::exception(function () {
+		(new Http\RequestFactory)->fromGlobals();
+	}, Nette\InvalidStateException::class, 'Invalid value in $_POST/$_COOKIE in key \'0\', expected string, integer given.');
+});