Skip to content

Prevent cache poisoning via a Response Content-Type header

nicolas-grekas published GHSA-mcx4-f5f5-4859 Mar 30, 2020
Severity
moderate
Packages
symfony/http-foundation (composer)
Affected versions
>= 4.4.0, <4.4.7 || >= 5.0.0, <5.0.7
Patched versions
4.4.7, 5.0.7
CVE identifier
CVE-2020-5255

Description

When a Response does not contain a Content-Type header, Symfony falls back to the format defined in the Accept header of the request, leading to a possible mismatch between the response's content and Content-Type header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one.

Resolution

Symfony does not use the Accept header anymore to guess the Content-Type.

The patch for this issue is available here for the 4.4 branch.

Credits

I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue.

Credits