Impact
mezzio-swoole applications using Diactoros for their PSR-7 implementation, and which are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-* headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.
Patches
3.7.0, and 4.3.0 and later.
The patches present in these versions update the SwooleServerRequestFactory to filter out X-Forwarded-* headers when creating the initial request. They then by default pass that instance through a Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders instance created from the trustReservedSubnet() constructor, ensuring that the request only honors the X-Forwarded-* headers for private reserved subnets.
Users can define the Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface service if they wish to provide a different implementation, or configure the FilterUsingXForwardedHeaders instance differently. When defined, that instance will be used to filter the generated request instance.
Workarounds
Infrastructure or DevOps can place a trusted reverse proxy in front of the mezzio-swoole server.
References
For more information
If you have any questions or comments about this advisory:
Impact
mezzio-swoole applications using Diactoros for their PSR-7 implementation, and which are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a
Laminas\Diactoros\Uriinstance associated with the incoming server request modified to reflect values fromX-Forwarded-*headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.Patches
3.7.0, and 4.3.0 and later.
The patches present in these versions update the
SwooleServerRequestFactoryto filter outX-Forwarded-*headers when creating the initial request. They then by default pass that instance through aLaminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeadersinstance created from thetrustReservedSubnet()constructor, ensuring that the request only honors theX-Forwarded-*headers for private reserved subnets.Users can define the
Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterfaceservice if they wish to provide a different implementation, or configure theFilterUsingXForwardedHeadersinstance differently. When defined, that instance will be used to filter the generated request instance.Workarounds
Infrastructure or DevOps can place a trusted reverse proxy in front of the mezzio-swoole server.
References
For more information
If you have any questions or comments about this advisory: