Allow double slashes in the path according to the RFC3986 #77
Conversation
Signed-off-by: Marcel Thole <marcel@marcelthole.de>
marcelthole
force-pushed
the
change-psr7-double-slash
branch
from
99462ef to
47f5b5c
Compare
| @@ -546,13 +546,6 @@ public function testFragmentIsNotDoubleEncoded() | |||
| $this->assertSame($expected, $uri->getFragment()); | |||
| } | |||
|
|
|||
| public function testProperlyTrimsLeadingSlashesToPreventXSS() | |||
There was a problem hiding this comment.
The "to prevent XSS" is the scariest bit here - I would suggest @weierophinney to look at it, considering the original 68fc742 commit.
I don't know the context for that initial commit myself, sorry :-\
The original text for the release:
## 1.0.4 - 2015-06-23
This is a security release.
A patch has been applied to `Zend\Diactoros\Uri::filterPath()` that ensures that
paths can only begin with a single leading slash. This prevents the following
potential security issues:
- XSS vectors. If the URI path is used for links or form targets, this prevents
cases where the first segment of the path resembles a domain name, thus
creating scheme-relative links such as `//example.com/foo`. With the patch,
the leading double slash is reduced to a single slash, preventing the XSS
vector.
- Open redirects. If the URI path is used for `Location` or `Link` headers,
without a scheme and authority, potential for open redirects exist if clients
do not prepend the scheme and authority. Again, preventing a double slash
corrects the vector.
If you are using `Zend\Diactoros\Uri` for creating links, form targets, or
redirect paths, and only using the path segment, we recommend upgrading
immediately.
There was a problem hiding this comment.
Honestly, I think the PSR-7 integration tests need to be updated to reflect this security fix.
|
I've added this to the |
|
@laminas/technical-steering-committee I don't know what to do with this one: can I get an opinion, please? |
|
I'd consider the PSR-7 test suite in error here, as it leads to an XSS vulnerability, and I recommend providing them our security test instead. |
|
The part that particularly concerns me is the removal of the security related test - this would be not just a BC break, but reintroduction of a previously patched vulnerability. |
I think the tricky thing here is context since the XSS vulnerability happens depending on the usage. My question, though, is: should a low-level component such as a PSR-7 implementation be responsible for preventing those redirection vulnerabilities? If so, we should probably look at solving this on the specification level IMHO. |
I think it should, as:
This latter is exactly what was reported, and the CVE was not limited to Diactoros, but was also reported against a number of libraries that generate/represent URIs. In terms of solving it at the specification level, that's absolutely do-able (we recently did it for a class of vulnerabilities related to multi-line headers); I think we can still push a patch now to the upstream PSR-7 test suite with the test we created when patching the vulnerability reported against us. |
Per an [issue created for Diactoros](laminas/laminas-diactoros#74) its [related pull request](laminas/laminas-diactoros#77), and the discussion to that pull request, this patch does the following: - It modifies `testPathWithMultipleSlashes()` to only validate that multiple slashes _not at the beginning_ of a path are retained intact. - It adds `testProperlyTrimsLeadingSlashesToPreventXSS()`, which validates that when multiple leading slashes are present in a path, they are reduced to a single slash. This approach is done to mitigate [ZF2015-05](https://framework.zend.com/security/advisory/ZF2015-05.html) which was also reported as [CVE-2015-3257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3257). While RFC 3986 allows for multiple slashes anywhere in the path, when security conflicts with a specification, security concerns win. Without the mitigation, an implementation is vulnerable to XSS and open redirects if only the path portion of a URI is used within HTML content (common!) or within headers (also common). Signed-off-by: Matthew Weier O'Phinney <matthew@weierophinney.net>
|
Maybe handled by #128 ? Unsure 🤔 |
Description
This resolves #74
maybe it could be a BC break, because the behavior of the
getPathhas changed.its since this commit: 68fc742