security #cve-2020-15094 Remove headers with internal meaning from HttpClient responses (mpdude)
This PR was merged into the 4.4 branch.
This commit is contained in:
commit
d9910e0b33
@ -16,6 +16,7 @@ use Symfony\Component\HttpClient\CachingHttpClient;
|
|||||||
use Symfony\Component\HttpClient\MockHttpClient;
|
use Symfony\Component\HttpClient\MockHttpClient;
|
||||||
use Symfony\Component\HttpClient\Response\MockResponse;
|
use Symfony\Component\HttpClient\Response\MockResponse;
|
||||||
use Symfony\Component\HttpKernel\HttpCache\Store;
|
use Symfony\Component\HttpKernel\HttpCache\Store;
|
||||||
|
use Symfony\Contracts\HttpClient\ResponseInterface;
|
||||||
|
|
||||||
class CachingHttpClientTest extends TestCase
|
class CachingHttpClientTest extends TestCase
|
||||||
{
|
{
|
||||||
@ -39,4 +40,71 @@ class CachingHttpClientTest extends TestCase
|
|||||||
self::assertSame($response->getRequestOptions()['normalized_headers']['application-name'][0], 'Application-Name: test1234');
|
self::assertSame($response->getRequestOptions()['normalized_headers']['application-name'][0], 'Application-Name: test1234');
|
||||||
self::assertSame($response->getRequestOptions()['normalized_headers']['test-name-header'][0], 'Test-Name-Header: test12345');
|
self::assertSame($response->getRequestOptions()['normalized_headers']['test-name-header'][0], 'Test-Name-Header: test12345');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testDoesNotEvaluateResponseBody()
|
||||||
|
{
|
||||||
|
$body = file_get_contents(__DIR__.'/Fixtures/assertion_failure.php');
|
||||||
|
$response = $this->runRequest(new MockResponse($body, ['response_headers' => ['X-Body-Eval' => true]]));
|
||||||
|
$headers = $response->getHeaders();
|
||||||
|
|
||||||
|
$this->assertSame($body, $response->getContent());
|
||||||
|
$this->assertArrayNotHasKey('x-body-eval', $headers);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testDoesNotIncludeFile()
|
||||||
|
{
|
||||||
|
$file = __DIR__.'/Fixtures/assertion_failure.php';
|
||||||
|
|
||||||
|
$response = $this->runRequest(new MockResponse(
|
||||||
|
'test', ['response_headers' => [
|
||||||
|
'X-Body-Eval' => true,
|
||||||
|
'X-Body-File' => $file,
|
||||||
|
]]
|
||||||
|
));
|
||||||
|
$headers = $response->getHeaders();
|
||||||
|
|
||||||
|
$this->assertSame('test', $response->getContent());
|
||||||
|
$this->assertArrayNotHasKey('x-body-eval', $headers);
|
||||||
|
$this->assertArrayNotHasKey('x-body-file', $headers);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testDoesNotReadFile()
|
||||||
|
{
|
||||||
|
$file = __DIR__.'/Fixtures/assertion_failure.php';
|
||||||
|
|
||||||
|
$response = $this->runRequest(new MockResponse(
|
||||||
|
'test', ['response_headers' => [
|
||||||
|
'X-Body-File' => $file,
|
||||||
|
]]
|
||||||
|
));
|
||||||
|
$headers = $response->getHeaders();
|
||||||
|
|
||||||
|
$this->assertSame('test', $response->getContent());
|
||||||
|
$this->assertArrayNotHasKey('x-body-file', $headers);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testRemovesXContentDigest()
|
||||||
|
{
|
||||||
|
$response = $this->runRequest(new MockResponse(
|
||||||
|
'test', [
|
||||||
|
'response_headers' => [
|
||||||
|
'X-Content-Digest' => 'some-hash',
|
||||||
|
]
|
||||||
|
]));
|
||||||
|
$headers = $response->getHeaders();
|
||||||
|
|
||||||
|
$this->assertArrayNotHasKey('x-content-digest', $headers);
|
||||||
|
}
|
||||||
|
|
||||||
|
private function runRequest(MockResponse $mockResponse): ResponseInterface
|
||||||
|
{
|
||||||
|
$mockClient = new MockHttpClient($mockResponse);
|
||||||
|
|
||||||
|
$store = new Store(sys_get_temp_dir() . '/sf_http_cache');
|
||||||
|
$client = new CachingHttpClient($mockClient, $store);
|
||||||
|
|
||||||
|
$response = $client->request('GET', 'http://test');
|
||||||
|
|
||||||
|
return $response;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -0,0 +1,3 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
throw new \PHPUnit\Framework\AssertionFailedError('Response body should not be evaluated.');
|
@ -58,6 +58,10 @@ final class HttpClientKernel implements HttpKernelInterface
|
|||||||
|
|
||||||
$response = new Response($response->getContent(!$catch), $response->getStatusCode(), $response->getHeaders(!$catch));
|
$response = new Response($response->getContent(!$catch), $response->getStatusCode(), $response->getHeaders(!$catch));
|
||||||
|
|
||||||
|
$response->headers->remove('X-Body-File');
|
||||||
|
$response->headers->remove('X-Body-Eval');
|
||||||
|
$response->headers->remove('X-Content-Digest');
|
||||||
|
|
||||||
$response->headers = new class($response->headers->all()) extends ResponseHeaderBag {
|
$response->headers = new class($response->headers->all()) extends ResponseHeaderBag {
|
||||||
protected function computeCacheControlValue(): string
|
protected function computeCacheControlValue(): string
|
||||||
{
|
{
|
||||||
|
Reference in New Issue
Block a user