-
Notifications
You must be signed in to change notification settings - Fork 11.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content type hijack bug #31518
Comments
@adam1010, I appreciate the tag, but it's important to note that this is not something specific to Shift, or even Laravel for that matter, but potentially all sites using this version of Symfony's Request object. As such, I'd appreciate if you could use a generic example as this theoretically would behave the same for any Laravel 6 application, and again, not something specific to Shift. In the meantime, I'll keep an eye out for any patches to ensure the response type matches. |
@jasonmccreary Correct, this is in no way specific to Shift. I was just looking for site known to the Laravel community to demonstrate with. This may or may not affect Symfony applications, it depends how Symfony instantiates their The only reason Symfony is setting it here, is because Laravel didn't provide one and I guess they're trying to be helpful. I think Symfony could remove that block altogether but that doesn't mean Laravel can't protect itself by defaulting the Content-Type to |
This issue is already reported on the Symfony repository: symfony/symfony#35694 |
thanks @X-Coder264 Seems like from the Symfony issue, when no content-type was set it defaulted to framework/src/Illuminate/Routing/Router.php Line 749 in 7b074c1
|
@adam1010 with that solution how do you know the response to always be |
I agree, but I wonder if there is an opportunity to default this based on some safer assumptions. For example, either an ENV preset or when the Definitely can see this being a "gotcha" from both sides. |
This fixes issue #31518 where Laravel isn't setting a Content-Type and so Symfony is just setting it to whatever the request is asking for. This is poisoning our cache, serving up our website HTML pages as "XML".
This fixes issue laravel/framework#31518 where Laravel isn't setting a Content-Type and so Symfony is just setting it to whatever the request is asking for. This is poisoning our cache, serving up our website HTML pages as "XML".
The pr for this got merged. |
Description:
Using the
Accept
header on the request, a user/bot is able to change theContent-type
to something that doesn't match the actual content. This may seem like it only affects that user and thus doesn't matter, but nginx and other proxies will cache this Content-type header and on my site I'm having raw HTML displayed to users because a bot filled my cache with XML Content-type headers for my HTML pages.Steps To Reproduce:
curl -I -H "Accept: text/xml" https://laravelshift.com/
1a. Output has
Content-Type: text/xml;
even though that page is delivering HTMLcurl -I -H "Accept: application/json" https://laravelshift.com/
2a. Output has
Content-Type: application/json
even though that page is delivering HTMLThe Offending Code
The code that's doing this is located in
Symfony\Component\HttpFoundation\Response
in theprepare()
method.So Symfony is setting the Content-type to whatever the Request is asking for, regardless of what the type actually is. Laravel doesn't specify the Content-type when creating the
Response
for a regular HTML view. So if your controller has justreturn view('homepage')
thenIlluminate\Routing\Router::toResponse()
runs without setting the Content Type to HTML@jasonmccreary Figured I'd mention you here since I used your website as an example of being vulnerable to this. If you had a full page cache in front your site, you'd be seeing the same effect of bots causing regular users to see raw HTML displayed or error messages.
The text was updated successfully, but these errors were encountered: