Description
When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded-* HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks.
In Symfony 5.2, we've added support for the X-Forwarded-Prefix header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a X-Forwarded-Prefix HTTP header, leading to a web cache poisoning issue.
Resolution
Symfony now ensures that the X-Forwarded-Prefix HTTP header is not forwarded to sub-requests when it is not trusted.
The patch for this issue is available here for branch 5.3.
Credits
We would like to thank Soner Sayakci for reporting the issue and Jérémy Derussé for fixing the issue.
Sponsor the Symfony project.Zaloguj się, aby dodać komentarz
Inne posty w tej grupie
This week, Symfony released the stable version of Symfony 7.3, which includes lots of amazing new features. We also published the maintenance versions 6.4.22 and 7.2.7.
Symfony development highlights
This is the second part of the blog post showcasing the main DX (developer experience) features introduced in Symfony 7.3. Read the first part of this blog post.
Verify URI Signatures… https://symfon
Symfony 6.4.22 has just been released. Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in you
Symfony 7.2.7 has just been released. Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in your
Symfony 7.3.0 has just been released. Check the New in Symfony 7.3 posts on this blog to learn about the main features of this new stable release; or check the first beta release announcement to get t
Symfony 7.3.0 has been released. As for any other Symfony release, our backward compatibility promise applies and this means that you should be able to upgrade easily to 7.3 without changing anything
Symfony 7.3 includes many small improvements aimed at making developers' lives easier and more productive. This blog post highlights some of the most useful DX (Developer Experience) features added in
