[Security/Csrf] Trust "Referer" at the same level as "Origin" #59269
Conversation
| @@ -227,9 +227,21 @@ public function onKernelResponse(ResponseEvent $event): void | |||
| */ | |||
| private function isValidOrigin(Request $request): ?bool | |||
| { | |||
| $source = $request->headers->get('Origin') ?? $request->headers->get('Referer') ?? 'null'; | |||
| $target = $request->getSchemeAndHttpHost().'/'; | |||
| $source = 'null'; | |||
There was a problem hiding this comment.
why using a string containing null here instead of an actual null value ?
There was a problem hiding this comment.
The "null" string is a possible value of the Origin header. This saves checking for one more case.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin#description
There was a problem hiding this comment.
Hum, here you assume that we cannot receive Origin: null and Referer: http://not-the-same-origin.com/. From the doc it seems unlikely to expose the Referer with "privacy sensitive" origin.
Edit: the function will return false while previously that case returned null. Which is safer for this limit case.
There was a problem hiding this comment.
Yep, that's what we should do, isn't it?
|
Thank you @nicolas-grekas. |
As hinted by @GromNaN in symfony/demo#1542 (comment), there are proxies that mess up with the
Originheader, but forward a validRefererheader. Since both headers have the same level of trust, I'm proposing to trust them both equally. At the moment,OriginoverridesReferer. With this PR, we check both and accept if justReferermatches.