Skip to content

[Security/Csrf] Trust "Referer" at the same level as "Origin" #59269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
GromNaN merged 1 commit into from
Dec 22, 2024
Merged

[Security/Csrf] Trust "Referer" at the same level as "Origin" #59269

GromNaN merged 1 commit into from
Dec 22, 2024

Conversation

@nicolas-grekas
Copy link
Member

@nicolas-grekas nicolas-grekas commented Dec 20, 2024
edited
Loading

Q A
Branch? 7.2
Bug fix? yes
New feature? no
Deprecations? no
Issues symfony/demo#1542
License MIT

As hinted by @GromNaN in symfony/demo#1542 (comment), there are proxies that mess up with the Origin header, but forward a valid Referer header. Since both headers have the same level of trust, I'm proposing to trust them both equally. At the moment, Origin overrides Referer. With this PR, we check both and accept if just Referer matches.

@carsonbot carsonbot added this to the 7.2 milestone Dec 20, 2024
stof
stof reviewed Dec 20, 2024
View reviewed changes
src/Symfony/Component/Security/Csrf/SameOriginCsrfTokenManager.php
{
$source = $request->headers->get('Origin') ?? $request->headers->get('Referer') ?? 'null';
$target = $request->getSchemeAndHttpHost().'/';
$source = 'null';
Copy link
Member

@stof stof Dec 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why using a string containing null here instead of an actual null value ?

Copy link
Member Author

@nicolas-grekas nicolas-grekas Dec 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "null" string is a possible value of the Origin header. This saves checking for one more case.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin#description

Copy link
Member

@GromNaN GromNaN Dec 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hum, here you assume that we cannot receive Origin: null and Referer: http://not-the-same-origin.com/. From the doc it seems unlikely to expose the Referer with "privacy sensitive" origin.

Edit: the function will return false while previously that case returned null. Which is safer for this limit case.

Copy link
Member Author

@nicolas-grekas nicolas-grekas Dec 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, that's what we should do, isn't it?

Copy link
Member

@GromNaN GromNaN Dec 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes;

@GromNaN GromNaN mentioned this pull request Dec 20, 2024
Open
11 tasks
@GromNaN GromNaN requested a review from stof December 21, 2024 16:34
@GromNaN
Copy link
Member

GromNaN commented Dec 22, 2024

Thank you @nicolas-grekas.

@GromNaN GromNaN merged commit 909cb59 into symfony:7.2 Dec 22, 2024
11 checks passed
@nicolas-grekas nicolas-grekas deleted the csrf-referer branch December 22, 2024 18:55
@fabpot fabpot mentioned this pull request Dec 31, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GromNaN GromNaN GromNaN approved these changes

@stof stof stof approved these changes

@chalasr chalasr chalasr approved these changes

Assignees

No one assigned

Labels

Bug Status: Reviewed

Projects

None yet

Milestone

7.2

Development

Successfully merging this pull request may close these issues.

5 participants

@nicolas-grekas @GromNaN @stof @chalasr @carsonbot