Skip to content

[Security] Fix HttpUtils::createRequest() when the base request is forwarded #61659

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicolas-grekas merged 1 commit into from
Sep 5, 2025
Merged

[Security] Fix HttpUtils::createRequest() when the base request is forwarded #61659

nicolas-grekas merged 1 commit into from
Sep 5, 2025

Conversation

@MatTheCat
Copy link
Contributor

@MatTheCat MatTheCat commented Sep 5, 2025

Q A
Branch? 6.4
Bug fix? yes
New feature? no
Deprecations? no
Issues Fix #61560
License MIT

Currently trusted headers are both copied from the original request and used to generate the URI. That means if we have a trusted /foo prefix the URI generated for /bar would be /foo/bar, and the new request URI would be /foo/foo/bar.

This PR temporarily distrusts proxies so that the generated URI would be /bar, and the new request URI /foo/bar.

@MatTheCat MatTheCat requested a review from chalasr as a code owner September 5, 2025 10:22
@carsonbot carsonbot added this to the 6.4 milestone Sep 5, 2025
@nicolas-grekas
Copy link
Member

nicolas-grekas commented Sep 5, 2025

Thank you @MatTheCat.

@nicolas-grekas nicolas-grekas merged commit c5ac440 into symfony:6.4 Sep 5, 2025
9 of 11 checks passed
@MatTheCat MatTheCat deleted the ticket_61560 branch September 5, 2025 12:58
This was referenced Sep 27, 2025
Merged
Merged
@kira0269
Copy link

kira0269 commented Oct 17, 2025

Hi @MatTheCat ,

It seems that there is still an issue when we try to create a request from a route name, not a path:

// In your test, use path to create the request => OK
(new HttpUtils())->createRequest(Request::create('/', server: ['HTTP_X_FORWARDED_PREFIX' => '/foo']), '/')->getUri(),

// Using route name to create the request => KO
(new HttpUtils())->createRequest(Request::create('/', server: ['HTTP_X_FORWARDED_PREFIX' => '/foo']), 'my_route')->getUri(),

@MatTheCat
Copy link
Contributor Author

MatTheCat commented Oct 17, 2025

Hey @kira0269 your example doesn’t mention what the problem is and I’m not able to see any. You can open a new issue if you noticed something is wrong.

@MatTheCat
Copy link
Contributor Author

MatTheCat commented Oct 17, 2025

Okay was able to reproduce: the URL generator context should also be updated. Will open a PR; no need for an issue.

Thanks!

@MatTheCat MatTheCat mentioned this pull request Oct 17, 2025
Merged
nicolas-grekas added a commit that referenced this pull request Nov 12, 2025
@nicolas-grekas
bug #62093 [Security] Fix HttpUtils::createRequest() when the conte…
88b0d7f 
…xt’s base URL isn’t empty (MatTheCat)

This PR was merged into the 6.4 branch.

Discussion
----------

[Security] Fix `HttpUtils::createRequest()` when the context’s base URL isn’t empty

| Q             | A
| ------------- | ---
| Branch?       | 6.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | Fix #61659 (comment)
| License       | MIT

Commits
-------

3210543 [Security] Fix `HttpUtils::createRequest()` when the context’s base URL isn’t empty
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees

No one assigned

Labels

Bug Security Status: Needs Review

Projects

None yet

Milestone

6.4

Development

Successfully merging this pull request may close these issues.

4 participants

@MatTheCat @nicolas-grekas @kira0269 @carsonbot