Описание
Prevent cache poisoning via a Response Content-Type header in Symfony
Description
When a Response does not contain a Content-Type header, Symfony falls back to the format defined in the Accept header of the request, leading to a possible mismatch between the response's content and Content-Type header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one.
Resolution
Symfony does not use the Accept header anymore to guess the Content-Type.
The patch for this issue is available here for the 4.4 branch.
Credits
I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue.
Ссылки
- https://github.com/symfony/symfony/security/advisories/GHSA-mcx4-f5f5-4859
- https://nvd.nist.gov/vuln/detail/CVE-2020-5255
- https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2020-5255.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5255.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ
- https://symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-header
- https://symfony.com/cve-2020-5255
Пакеты
symfony/http-foundation
>= 4.4.0, < 4.4.7
4.4.7
symfony/http-foundation
>= 5.0.0, < 5.0.7
5.0.7
symfony/symfony
>= 4.4.0, < 4.4.7
4.4.7
symfony/symfony
>= 5.0.0, < 5.0.7
5.0.7
Связанные уязвимости
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7.
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7.
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not ...