Return a 400 response for suspicious operations
This commit is contained in:
parent
e98c068745
commit
d876809cec
@ -11,6 +11,7 @@
|
||||
|
||||
namespace Symfony\Component\Debug\Exception;
|
||||
|
||||
use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
|
||||
use Symfony\Component\HttpKernel\Exception\HttpExceptionInterface;
|
||||
|
||||
/**
|
||||
@ -41,6 +42,8 @@ class FlattenException
|
||||
if ($exception instanceof HttpExceptionInterface) {
|
||||
$statusCode = $exception->getStatusCode();
|
||||
$headers = array_merge($headers, $exception->getHeaders());
|
||||
} elseif ($exception instanceof SuspiciousOperationException) {
|
||||
$statusCode = 400;
|
||||
}
|
||||
|
||||
if (null === $statusCode) {
|
||||
|
@ -12,6 +12,7 @@
|
||||
namespace Symfony\Component\Debug\Tests\Exception;
|
||||
|
||||
use Symfony\Component\Debug\Exception\FlattenException;
|
||||
use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use Symfony\Component\HttpKernel\Exception\MethodNotAllowedHttpException;
|
||||
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
|
||||
@ -78,6 +79,11 @@ class FlattenExceptionTest extends \PHPUnit_Framework_TestCase
|
||||
|
||||
$flattened = FlattenException::create(new UnsupportedMediaTypeHttpException());
|
||||
$this->assertEquals('415', $flattened->getStatusCode());
|
||||
|
||||
if (class_exists(SuspiciousOperationException::class)) {
|
||||
$flattened = FlattenException::create(new SuspiciousOperationException());
|
||||
$this->assertEquals('400', $flattened->getStatusCode());
|
||||
}
|
||||
}
|
||||
|
||||
public function testHeadersForHttpException()
|
||||
|
@ -0,0 +1,20 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
* This file is part of the Symfony package.
|
||||
*
|
||||
* (c) Fabien Potencier <fabien@symfony.com>
|
||||
*
|
||||
* For the full copyright and license information, please view the LICENSE
|
||||
* file that was distributed with this source code.
|
||||
*/
|
||||
|
||||
namespace Symfony\Component\HttpFoundation\Exception;
|
||||
|
||||
/**
|
||||
* Raised when a user has performed an operation that should be considered
|
||||
* suspicious from a security perspective.
|
||||
*/
|
||||
class SuspiciousOperationException extends \UnexpectedValueException
|
||||
{
|
||||
}
|
@ -12,6 +12,7 @@
|
||||
namespace Symfony\Component\HttpFoundation;
|
||||
|
||||
use Symfony\Component\HttpFoundation\Exception\ConflictingHeadersException;
|
||||
use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
|
||||
use Symfony\Component\HttpFoundation\Session\SessionInterface;
|
||||
|
||||
/**
|
||||
@ -1198,7 +1199,7 @@ class Request
|
||||
*
|
||||
* @return string
|
||||
*
|
||||
* @throws \UnexpectedValueException when the host name is invalid
|
||||
* @throws SuspiciousOperationException when the host name is invalid
|
||||
*/
|
||||
public function getHost()
|
||||
{
|
||||
@ -1220,7 +1221,7 @@ class Request
|
||||
// check that it does not contain forbidden characters (see RFC 952 and RFC 2181)
|
||||
// use preg_replace() instead of preg_match() to prevent DoS attacks with long host names
|
||||
if ($host && '' !== preg_replace('/(?:^\[)?[a-zA-Z0-9-:\]_]+\.?/', '', $host)) {
|
||||
throw new \UnexpectedValueException(sprintf('Invalid Host "%s"', $host));
|
||||
throw new SuspiciousOperationException(sprintf('Invalid Host "%s"', $host));
|
||||
}
|
||||
|
||||
if (count(self::$trustedHostPatterns) > 0) {
|
||||
@ -1238,7 +1239,7 @@ class Request
|
||||
}
|
||||
}
|
||||
|
||||
throw new \UnexpectedValueException(sprintf('Untrusted Host "%s"', $host));
|
||||
throw new SuspiciousOperationException(sprintf('Untrusted Host "%s"', $host));
|
||||
}
|
||||
|
||||
return $host;
|
||||
|
@ -11,6 +11,7 @@
|
||||
|
||||
namespace Symfony\Component\HttpFoundation\Tests;
|
||||
|
||||
use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
|
||||
use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
|
||||
use Symfony\Component\HttpFoundation\Session\Session;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
@ -1871,7 +1872,7 @@ class RequestTest extends \PHPUnit_Framework_TestCase
|
||||
try {
|
||||
$request->getHost();
|
||||
$this->fail('Request::getHost() should throw an exception when host is not trusted.');
|
||||
} catch (\UnexpectedValueException $e) {
|
||||
} catch (SuspiciousOperationException $e) {
|
||||
$this->assertEquals('Untrusted Host "evil.com"', $e->getMessage());
|
||||
}
|
||||
|
||||
@ -1935,7 +1936,7 @@ class RequestTest extends \PHPUnit_Framework_TestCase
|
||||
$this->assertSame($expectedPort, $request->getPort());
|
||||
}
|
||||
} else {
|
||||
$this->setExpectedException('UnexpectedValueException', 'Invalid Host');
|
||||
$this->setExpectedException(SuspiciousOperationException::class, 'Invalid Host');
|
||||
$request->getHost();
|
||||
}
|
||||
}
|
||||
|
@ -12,6 +12,7 @@
|
||||
namespace Symfony\Component\HttpKernel\EventListener;
|
||||
|
||||
use Psr\Log\LoggerInterface;
|
||||
use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
|
||||
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
|
||||
use Symfony\Component\HttpKernel\Event\FinishRequestEvent;
|
||||
use Symfony\Component\HttpKernel\KernelEvents;
|
||||
@ -68,7 +69,11 @@ class RouterListener implements EventSubscriberInterface
|
||||
private function setCurrentRequest(Request $request = null)
|
||||
{
|
||||
if (null !== $request) {
|
||||
$this->context->fromRequest($request);
|
||||
try {
|
||||
$this->context->fromRequest($request);
|
||||
} catch (SuspiciousOperationException $e) {
|
||||
// Do nothing.
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user