File: security-cve-2019-10913-HttpFoundation-reject-invalid-met.patch

package info (click to toggle)
symfony 2.8.7%2Bdfsg-1.3%2Bdeb9u3
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 39,888 kB
  • sloc: php: 225,095; xml: 4,083; sh: 475; ansic: 263; makefile: 127
file content (80 lines) | stat: -rw-r--r-- 2,687 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 
From: Nicolas Grekas <nicolas.grekas@gmail.com>
Date: Tue, 16 Apr 2019 10:45:11 +0200
Subject: security #cve-2019-10913 [HttpFoundation] reject invalid method
 override (nicolas-grekas)

This PR was merged into the 2.8 branch.

Discussion
----------

[HttpFoundation] reject invalid method override

Based on #86

Commits
-------

d7dcedbf1d [HttpFoundation] reject invalid method override

Origin: upstream, https://github.com/symfony/symfony/commit/e88a63114a6c9c63eac2773210098d955753ece4
---
 src/Symfony/Component/HttpFoundation/Request.php | 43 ++++++++++++++++--------
 1 file changed, 29 insertions(+), 14 deletions(-)

diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
index a1cfe26..296a91e 100644
--- a/src/Symfony/Component/HttpFoundation/Request.php
+++ b/src/Symfony/Component/HttpFoundation/Request.php
@@ -1291,22 +1291,37 @@ class Request
      */
     public function getMethod()
     {
-        if (null === $this->method) {
-            $this->method = strtoupper($this->server->get('REQUEST_METHOD', 'GET'));
-
-            if ('POST' === $this->method) {
-                if ($method = $this->headers->get('X-HTTP-METHOD-OVERRIDE')) {
-                    $this->method = strtoupper($method);
-                } elseif (self::$httpMethodParameterOverride) {
-                    $method = $this->request->get('_method', $this->query->get('_method', 'POST'));
-                    if (\is_string($method)) {
-                        $this->method = strtoupper($method);
-                    }
-                }
-            }
+        if (null !== $this->method) {
+            return $this->method;
+        }
+
+        $this->method = strtoupper($this->server->get('REQUEST_METHOD', 'GET'));
+
+        if ('POST' !== $this->method) {
+            return $this->method;
+        }
+
+        $method = $this->headers->get('X-HTTP-METHOD-OVERRIDE');
+
+        if (!$method && self::$httpMethodParameterOverride) {
+            $method = $this->request->get('_method', $this->query->get('_method', 'POST'));
+        }
+
+        if (!\is_string($method)) {
+            return $this->method;
+        }
+
+        $method = strtoupper($method);
+
+        if (\in_array($method, array('GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'PATCH', 'PURGE', 'TRACE'), true)) {
+            return $this->method = $method;
+        }
+
+        if (!preg_match('/^[A-Z]++$/D', $method)) {
+            throw new \UnexpectedValueException(sprintf('Invalid method override "%s".', $method));
         }
 
-        return $this->method;
+        return $this->method = $method;
     }
 
     /**