Redirect echoes request headers

Created on 19 June 2024, 9 days ago

Problem/Motivation

The rediect to the login page copies the request headers. I discovered this because the redirect caused a 502 error on Platform.sh. That was caused by an empty Content-Length sneaking in via the request and PSHs Nginx not liking it in the response.

Request headers shouldn't be uncritically copied to the response. Most request headers doesn't make sense in a response (Host: for instance) and others could cause an information leak of headers used between internal systems.

Steps to reproduce

With a working installation, one can run:

curl --head 'https://<host>/oauth/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code' -H 'X-Some-Random: header'

and see the x-some-random header in the output (the case change is due to Symfonys handling of headers.

Proposed resolution

Remove the code adding the request headers.

🐛 Bug report

Status

Active

Version

5.2

Component

Code

Created by

🇩🇰Denmark Xen

Live updates comments and jobs are added and updated live.

Merge Requests

!132Redirect echoes request headers
Open
🇩🇰Denmark Xen
updated 9 days ago

Comments & Activities

Issue created by @Xen
Merge request !132Issue 3455605 by Xen: Don't echo request headers → (Open) created by Xen
Pipeline finished with Success
9 days ago
Total: 371s
#202667

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024