mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
69 lines
3.1 KiB
Markdown
69 lines
3.1 KiB
Markdown
|
# 3.7.5
|
||
|
|
|
||
|
|
* [CVE-2019-19326 Web Cache Poisoning](#CVE-2019-19326)
|
||
|
|
|
||
|
|
## CVE-2019-19326 Web Cache Poisoning {#CVE-2019-19326}
|
||
|
|
|
||
|
|
Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the:
|
||
|
|
* `X-Original-Url` HTTP header
|
||
|
|
* `X-HTTP-Method-Override` HTTP header
|
||
|
|
* `_method` POST variable.
|
||
|
|
|
||
|
|
In order to remedy this vulnerability, Silverstripe Framework 3.7.5 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution.
|
||
|
|
|
||
|
|
### Re-enabling the support for removed features
|
||
|
|
|
||
|
|
These features are best implemented by defining a `RequestFilter`. Request Filters are similar to the more modern concept of "middleware" as defined by the PSR-15 standard and supported by Silverstripe 4.
|
||
|
|
|
||
|
|
The following example illustrate how to implement a `RequestFilter` that restore support for the `X-Original-Url` header and the `_method` POST parameter for request originating from a trusted proxy.
|
||
|
|
|
||
|
|
```php
|
||
|
|
<?php
|
||
|
|
|
||
|
|
/**
|
||
|
|
* This is meant to illustrate how to implement a RequestFilter. It assumes your
|
||
|
|
* trusted proxy will strip the insecure data from any requests. If you blindly
|
||
|
|
* copy-paste this in in your code base, you'll simply replicate the vulnerability.
|
||
|
|
*/
|
||
|
|
class InsecureRequestProcessor implements RequestFilter
|
||
|
|
{
|
||
|
|
|
||
|
|
public function preRequest(SS_HTTPRequest $request, Session $session, DataModel $model)
|
||
|
|
{
|
||
|
|
if (TRUSTED_PROXY) {
|
||
|
|
$originalUrl = $request->getHeader('X-Original-Url');
|
||
|
|
if ($originalUrl) {
|
||
|
|
$request->setUrl($originalUrl);
|
||
|
|
$_SERVER['REQUEST_URI'] = $originalUrl;
|
||
|
|
}
|
||
|
|
|
||
|
|
$methodOverride = $request->postVar('_method');
|
||
|
|
$validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD'];
|
||
|
|
if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) {
|
||
|
|
$request->setMethod($methodOverride);
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
return true;
|
||
|
|
}
|
||
|
|
|
||
|
|
public function postRequest(SS_HTTPRequest $request, SS_HTTPResponse $response, DataModel $model)
|
||
|
|
{
|
||
|
|
return true;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
To learn more about re-implementing support for the disabled features:
|
||
|
|
* read [How to implement a Request Filter](/developer_guides/controllers/requestfilters) on the Silverstripe documentation
|
||
|
|
* read [how to configure trusted proxies](/developer_guides/security/secure_coding/#request-hostname-forgery) on the Silverstripe documentation
|
||
|
|
* review [api:RequestFilter] interface
|
||
|
|
|
||
|
|
To learn more about middleware:
|
||
|
|
* read the [PSR-15: HTTP Server Request Handlers](https://www.php-fig.org/psr/psr-15/) standard
|
||
|
|
* read the [Silverstripe 4 documentation about HTTP Middlewares](https://docs.silverstripe.org/en/4/developer_guides/controllers/middlewares/) standard.
|
||
|
|
|
||
|
|
<!--- Changes below this line will be automatically regenerated -->
|
||
|
|
|
||
|
|
<!--- Changes above this line will be automatically regenerated -->
|