security #cve-2021-41267 [HttpKernel] Fix missing extra trusted heade…

…r in sub-request (jderusse)

This PR was merged into the 5.3 branch.

HttpCache/SubRequestHandler.php

@@ -38,6 +38,7 @@ public static function handle(HttpKernelInterface $kernel, Request $request, int
                 'X_FORWARDED_HOST' => $trustedHeaderSet & Request::HEADER_X_FORWARDED_HOST,
                 'X_FORWARDED_PROTO' => $trustedHeaderSet & Request::HEADER_X_FORWARDED_PROTO,
                 'X_FORWARDED_PORT' => $trustedHeaderSet & Request::HEADER_X_FORWARDED_PORT,
+                'X_FORWARDED_PREFIX' => $trustedHeaderSet & Request::HEADER_X_FORWARDED_PREFIX,
             ];
             foreach (array_filter($trustedHeaders) as $name => $key) {
                 $request->headers->remove($name);

Tests/HttpCache/SubRequestHandlerTest.php

@@ -42,13 +42,15 @@ public function testTrustedHeadersAreKept()
         $request->headers->set('X-Forwarded-Host', 'Good');
         $request->headers->set('X-Forwarded-Port', '1234');
         $request->headers->set('X-Forwarded-Proto', 'https');
+        $request->headers->set('X-Forwarded-Prefix', '/admin');
 
         $kernel = new TestSubRequestHandlerKernel(function ($request, $type, $catch) {
             $this->assertSame('127.0.0.1', $request->server->get('REMOTE_ADDR'));
             $this->assertSame('10.0.0.2', $request->getClientIp());
             $this->assertSame('Good', $request->headers->get('X-Forwarded-Host'));
             $this->assertSame('1234', $request->headers->get('X-Forwarded-Port'));
             $this->assertSame('https', $request->headers->get('X-Forwarded-Proto'));
+            $this->assertSame('/admin', $request->headers->get('X-Forwarded-Prefix'));
         });
 
         SubRequestHandler::handle($kernel, $request, HttpKernelInterface::MAIN_REQUEST, true);
@@ -64,6 +66,7 @@ public function testUntrustedHeadersAreRemoved()
         $request->headers->set('X-Forwarded-Host', 'Evil');
         $request->headers->set('X-Forwarded-Port', '1234');
         $request->headers->set('X-Forwarded-Proto', 'http');
+        $request->headers->set('X-Forwarded-Prefix', '/admin');
         $request->headers->set('Forwarded', 'Evil2');
 
         $kernel = new TestSubRequestHandlerKernel(function ($request, $type, $catch) {
@@ -72,6 +75,7 @@ public function testUntrustedHeadersAreRemoved()
             $this->assertFalse($request->headers->has('X-Forwarded-Host'));
             $this->assertFalse($request->headers->has('X-Forwarded-Port'));
             $this->assertFalse($request->headers->has('X-Forwarded-Proto'));
+            $this->assertFalse($request->headers->has('X-Forwarded-Prefix'));
             $this->assertSame('for="10.0.0.1";host="localhost";proto=http', $request->headers->get('Forwarded'));
         });
 
@@ -112,12 +116,14 @@ public function testTrustedXForwardedForHeader()
         $request->headers->set('X-Forwarded-For', '10.0.0.2');
         $request->headers->set('X-Forwarded-Host', 'foo.bar');
         $request->headers->set('X-Forwarded-Proto', 'https');
+        $request->headers->set('X-Forwarded-Prefix', '/admin');
 
         $kernel = new TestSubRequestHandlerKernel(function ($request, $type, $catch) {
             $this->assertSame('127.0.0.1', $request->server->get('REMOTE_ADDR'));
             $this->assertSame('10.0.0.2', $request->getClientIp());
             $this->assertSame('foo.bar', $request->getHttpHost());
             $this->assertSame('https', $request->getScheme());
+            $this->assertSame('/admin', $request->getBaseUrl());
         });
 
         SubRequestHandler::handle($kernel, $request, HttpKernelInterface::MAIN_REQUEST, true);