security #cve-2020-15094 Remove headers with internal meaning from Ht…

…tpClient responses (mpdude) This PR was merged into the 4.4 branch.
symfony · Sep 2, 2020 · cdf1e9b · cdf1e9b
2 parents a5ed890 + 8e8d0ed
commit cdf1e9b
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/HttpClientKernel.php b/HttpClientKernel.php
@@ -58,6 +58,10 @@ public function handle(Request $request, $type = HttpKernelInterface::MASTER_REQ
 
         $response = new Response($response->getContent(!$catch), $response->getStatusCode(), $response->getHeaders(!$catch));
 
+        $response->headers->remove('X-Body-File');
+        $response->headers->remove('X-Body-Eval');
+        $response->headers->remove('X-Content-Digest');
+
         $response->headers = new class($response->headers->all()) extends ResponseHeaderBag {
             protected function computeCacheControlValue(): string
             {