From d2760e4ec7e5aa768e61491c8d3cc563788983e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juli=C3=A1n=20Guti=C3=A9rrez?= <juliangut@gmail.com>
Date: Fri, 12 Feb 2016 13:56:14 +0100
Subject: [PATCH] secure access to body params

---
 src/Grant/AbstractGrant.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/Grant/AbstractGrant.php b/src/Grant/AbstractGrant.php
index 01917c91..9d22418b 100644
--- a/src/Grant/AbstractGrant.php
+++ b/src/Grant/AbstractGrant.php
@@ -249,13 +249,15 @@ abstract class AbstractGrant implements GrantTypeInterface
      */
     protected function getRequestParameter($parameter, ServerRequestInterface $request, $default = null)
     {
-        return (isset($request->getParsedBody()[$parameter])) ? $request->getParsedBody()[$parameter] : $default;
+        return (is_array($request->getParsedBody()) && isset($request->getParsedBody()[$parameter]))
+            ? $request->getParsedBody()[$parameter]
+            : $default;
     }
 
     /**
      * Retrieve server parameter.
      *
-     * @param string|array                             $parameter
+     * @param string                                   $parameter
      * @param \Psr\Http\Message\ServerRequestInterface $request
      * @param mixed                                    $default
      *
@@ -314,7 +316,8 @@ abstract class AbstractGrant implements GrantTypeInterface
     public function canRespondToRequest(ServerRequestInterface $request)
     {
         return (
-            isset($request->getParsedBody()['grant_type'])
+            is_array($request->getParsedBody())
+            && isset($request->getParsedBody()['grant_type'])
             && $request->getParsedBody()['grant_type'] === $this->identifier
         );
     }