GHSA-c8rp-cgf4-937w

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-c8rp-cgf4-937w/GHSA-c8rp-cgf4-937w.json
Published
2022-07-29T22:26:10Z
Modified
2022-07-29T22:26:10Z
Details

Impact

mezzio-swoole applications using Diactoros for their PSR-7 implementation, and which are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-* headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.

Patches

3.7.0, and 4.3.0 and later.

The patches present in these versions update the SwooleServerRequestFactory to filter out X-Forwarded-* headers when creating the initial request. They then by default pass that instance through a Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders instance created from the trustReservedSubnet() constructor, ensuring that the request only honors the X-Forwarded-* headers for private reserved subnets.

Users can define the Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface service if they wish to provide a different implementation, or configure the FilterUsingXForwardedHeaders instance differently. When defined, that instance will be used to filter the generated request instance.

Workarounds

Infrastructure or DevOps can place a trusted reverse proxy in front of the mezzio-swoole server.

References

For more information

If you have any questions or comments about this advisory:

References

Affected packages

Packagist / mezzio/mezzio-swoole

mezzio/mezzio-swoole

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
3.7.0

Affected versions

Packagist / mezzio/mezzio-swoole

mezzio/mezzio-swoole

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.3.0

Affected versions