mezzio-swoole applications using Diactoros for their PSR-7 implementation, and which are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a
Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from
X-Forwarded-* headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.
3.7.0, and 4.3.0 and later.
The patches present in these versions update the
SwooleServerRequestFactory to filter out
X-Forwarded-* headers when creating the initial request. They then by default pass that instance through a
Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders instance created from the
trustReservedSubnet() constructor, ensuring that the request only honors the
X-Forwarded-* headers for private reserved subnets.
Users can define the
Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface service if they wish to provide a different implementation, or configure the
FilterUsingXForwardedHeaders instance differently. When defined, that instance will be used to filter the generated request instance.
Infrastructure or DevOps can place a trusted reverse proxy in front of the mezzio-swoole server.
If you have any questions or comments about this advisory: