-
Notifications
You must be signed in to change notification settings - Fork 821
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
209 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
# 3.7.5 | ||
|
||
* [CVE-2019-19326 Web Cache Poisoning](#CVE-2019-19326) | ||
* [CVE-2020-9311 Malicious user profile information can cause login form XSS](#CVE-2020-9311) | ||
|
||
## CVE-2019-19326 Web Cache Poisoning {#CVE-2019-19326} | ||
|
||
Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the: | ||
* `X-Original-Url` HTTP header | ||
* `X-HTTP-Method-Override` HTTP header | ||
* `_method` POST variable. | ||
|
||
In order to remedy this vulnerability, Silverstripe Framework 3.7.5 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution. | ||
|
||
### Re-enabling the support for removed features | ||
|
||
These features are best implemented by defining a `RequestFilter`. Request Filters are similar to the more modern concept of "middleware" as defined by the PSR-15 standard and supported by Silverstripe 4. | ||
|
||
The following example illustrate how to implement a `RequestFilter` that restore support for the `X-Original-Url` header and the `_method` POST parameter for request originating from a trusted proxy. | ||
|
||
```php | ||
<?php | ||
|
||
/** | ||
* This is meant to illustrate how to implement a RequestFilter. It assumes your | ||
* trusted proxy will strip the insecure data from any requests. If you blindly | ||
* copy-paste this in in your code base, you'll simply replicate the vulnerability. | ||
*/ | ||
class InsecureRequestProcessor implements RequestFilter | ||
{ | ||
|
||
public function preRequest(SS_HTTPRequest $request, Session $session, DataModel $model) | ||
{ | ||
if (TRUSTED_PROXY) { | ||
$originalUrl = $request->getHeader('X-Original-Url'); | ||
if ($originalUrl) { | ||
$request->setUrl($originalUrl); | ||
$_SERVER['REQUEST_URI'] = $originalUrl; | ||
} | ||
|
||
$methodOverride = $request->postVar('_method'); | ||
$validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD']; | ||
if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) { | ||
$request->setMethod($methodOverride); | ||
} | ||
} | ||
|
||
return true; | ||
} | ||
|
||
public function postRequest(SS_HTTPRequest $request, SS_HTTPResponse $response, DataModel $model) | ||
{ | ||
return true; | ||
} | ||
} | ||
``` | ||
|
||
To learn more about re-implementing support for the disabled features: | ||
* read [How to implement a Request Filter](/developer_guides/controllers/requestfilters) on the Silverstripe documentation | ||
* read [how to configure trusted proxies](/developer_guides/security/secure_coding/#request-hostname-forgery) on the Silverstripe documentation | ||
* review [api:RequestFilter] interface | ||
|
||
To learn more about middleware: | ||
* read the [PSR-15: HTTP Server Request Handlers](https://www.php-fig.org/psr/psr-15/) standard | ||
* read the [Silverstripe 4 documentation about HTTP Middlewares](https://docs.silverstripe.org/en/4/developer_guides/controllers/middlewares/) standard. | ||
|
||
[Review the CVE-2019-19326 public disclosure](https://www.silverstripe.org/download/security-releases/cve-2019-19326) | ||
|
||
## CVE-2020-9311 Malicious user profile information can cause login form XSS {#CVE-2020-9311} | ||
|
||
Malicious users with a valid Silverstripe login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs. | ||
|
||
[Review the CVE-2020-9311 public disclosure](https://www.silverstripe.org/download/security-releases/cve-2020-9311) | ||
|
||
|
||
<!--- Changes below this line will be automatically regenerated --> | ||
|
||
## Change Log | ||
|
||
### Security | ||
|
||
* 2020-07-09 [c96e9d2fe](https://github.com/silverstripe/silverstripe-framework/commit/c96e9d2fe5e0fbea1da4059264e4da269889f55d) Add public disclosure statement to changelog (Maxime Rainville) - See [cve-2020-9311](https://www.silverstripe.org/download/security-releases/cve-2020-9311) | ||
* 2020-05-04 [074b28cf9](https://github.com/silverstripe/silverstripe-framework/commit/074b28cf937821a0d5627d3f19836ede1d662395) Add changelog for CVE-2019-19326 (Maxime Rainville) - See [cve-2019-19326](https://www.silverstripe.org/download/security-releases/cve-2019-19326) | ||
* 2020-04-28 [98926e4e6](https://github.com/silverstripe/silverstripe-framework/commit/98926e4e6c26d1d43bb1faf516d15bdb2739556e) Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod(). (Maxime Rainville) - See [cve-2019-19326](https://www.silverstripe.org/download/security-releases/cve-2019-19326) | ||
* 2020-04-23 [d3b23e702](https://github.com/silverstripe/silverstripe-framework/commit/d3b23e7024add23de1cb643a44e30d249c2b7cd6) Escape First Name when displaying re-login screen (Maxime Rainville) - See [cve-2020-9311](https://www.silverstripe.org/download/security-releases/cve-2020-9311) | ||
|
||
### Features and Enhancements | ||
|
||
* 2019-11-18 [54e7223d9](https://github.com/silverstripe/silverstripe-framework/commit/54e7223d981eee7f00244ad9a79187ee3f2f063a) Docs rebuild for compliance with Gatsby (#9316) (Aaron Carlino) | ||
|
||
### Bugfixes | ||
|
||
* 2020-04-01 [6c8dc0fd9](https://github.com/silverstripe/silverstripe-framework/commit/6c8dc0fd9957d0f497ccc3c700c0d805aff1269e) Fix deprecated php syntax (Dan Hensby) | ||
* 2019-11-19 [42ab51230](https://github.com/silverstripe/silverstripe-framework/commit/42ab512306196d1010808adbe728f1fe179519aa) Fix broken callout tags (Aaron Carlino) | ||
<!--- Changes above this line will be automatically regenerated --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters