When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded-*
HTTP headers. HTTP headers that are not part of the βtrusted_headersβ allowed list are ignored and protect you from βCache poisoningβ attacks.
In Symfony 5.2, weβve added support for the X-Forwarded-Prefix
header, but this header was accessible in sub-requests, even if it was not part of the βtrusted_headersβ allowed list. An attacker could leverage this opportunity to forge requests containing a X-Forwarded-Prefix
HTTP header, leading to a web cache poisoning issue.
Symfony now ensures that the X-Forwarded-Prefix
HTTP header is not forwarded to sub-requests when it is not trusted.
The patch for this issue is available here for branch 5.3.
We would like to thank Soner Sayakci for reporting the issue and JΓ©rΓ©my DerussΓ© for fixing the issue.
Log in to add a reaction to this post
add a reaction β€ π π
Published in #Security Advisories