Redirect echoes request headers

Created on 19 June 2024, 5 months ago

Updated 16 August 2024, 3 months ago

Problem/Motivation

The rediect to the login page copies the request headers. I discovered this because the redirect caused a 502 error on Platform.sh. That was caused by an empty Content-Length sneaking in via the request and PSHs Nginx not liking it in the response.

Request headers shouldn't be uncritically copied to the response. Most request headers doesn't make sense in a response (Host: for instance) and others could cause an information leak of headers used between internal systems.

Steps to reproduce

With a working installation, one can run:

curl --head 'https://<host>/oauth/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code' -H 'X-Some-Random: header'

and see the x-some-random header in the output (the case change is due to Symfonys handling of headers.

Proposed resolution

Remove the code adding the request headers.

🐛 Bug report

Status

Fixed

Version

5.2

Component

Code

Created by

🇩🇰Denmark xen

Live updates comments and jobs are added and updated live.

Merge Requests

!132Redirect echoes request headers
Merged
🇩🇰Denmark xen
updated 4 months ago

Comments & Activities

Issue created by @xen
Merge request !132Issue: #3455605 by Xen: Don't echo request headers → (Merged) created by xen
Pipeline finished with Success
5 months ago
Total: 371s
#202667
Comment 4 months ago →
System Message

bojan_dev → committed d8e843d8 on 5.2.x authored by Xen →
Issue: #3455605 by Xen: Don't echo request headers
Status changed to Fixed 4 months ago6:38am 2 August 2024
Comment 4 months ago →
🇳🇱Netherlands bojan_dev
This was already resolved in 6.0.x, thanks for the MR.
Comment 3 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024