security #cve-2020-15094 Remove headers with internal meaning from HttpClient responses (mpdude)

fabpot · fabpot · commit cdf1e9b2b404 · 2020-09-02T09:40:48.000+02:00
This PR was merged into the 4.4 branch.
diff --git a/HttpClientKernel.php b/HttpClientKernel.php
@@ -58,6 +58,10 @@ public function handle(Request $request, $type = HttpKernelInterface::MASTER_REQ
 
         $response = new Response($response->getContent(!$catch), $response->getStatusCode(), $response->getHeaders(!$catch));
 
+        $response->headers->remove('X-Body-File');
+        $response->headers->remove('X-Body-Eval');
+        $response->headers->remove('X-Content-Digest');
+
         $response->headers = new class($response->headers->all()) extends ResponseHeaderBag {
             protected function computeCacheControlValue(): string
             {

Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,10 @@ public function handle(Request $request, $type = HttpKernelInterface::MASTER_REQ`
`58`	`58`
`59`	`59`	`$response = new Response($response->getContent(!$catch), $response->getStatusCode(), $response->getHeaders(!$catch));`
`60`	`60`
	`61`	`+ $response->headers->remove('X-Body-File');`
	`62`	`+ $response->headers->remove('X-Body-Eval');`
	`63`	`+ $response->headers->remove('X-Content-Digest');`
	`64`	`+`
`61`	`65`	`$response->headers = new class($response->headers->all()) extends ResponseHeaderBag {`
`62`	`66`	`protected function computeCacheControlValue(): string`
`63`	`67`	`{`