CVE-2020-5255: Prevent cache poisoning via a Response Content-Type header

Affected versions

Symfony 4.4.0 to 4.4.6 and 5.0.0 to 5.0.6 versions of the Symfony HttpFoundation component are affected by this security issue.

The issue has been fixed in Symfony 4.4.7 and 5.0.7.

Description

When a Response does not contain a Content-Type header, Symfony falls back to the format defined in the Accept header of the request, leading to a possible mismatch between the response’s content and Content-Type header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one.

Resolution

Symfony does not use the Accept header anymore to guess the Content-Type.

The patch for this issue is available here for the 4.4 branch.

Credits

I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue.

Log in to add a reaction to this post

add a reaction ❤️ 👍 🚀

Published in #Security Advisories