When a Response
does not contain a Content-Type
header, Symfony falls back to the format defined in the Accept
header of the request, leading to a possible mismatch between the response’s content and Content-Type
header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one.
Symfony does not use the Accept
header anymore to guess the Content-Type
.
The patch for this issue is available here for the 4.4 branch.
I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue.
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2020-5255.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5255.yaml
github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6
github.com/symfony/symfony/security/advisories/GHSA-mcx4-f5f5-4859
lists.fedoraproject.org/archives/list/[email protected]/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ
nvd.nist.gov/vuln/detail/CVE-2020-5255
symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-header
symfony.com/cve-2020-5255