Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit d876809

Browse filesBrowse files
thewilkybarkidfabpot
thewilkybarkid
authored and
fabpot
committed
Return a 400 response for suspicious operations
1 parent e98c068 commit d876809
Copy full SHA for d876809

File tree

6 files changed

+42
-6
lines changed
Filter options

6 files changed

+42
-6
lines changed

‎src/Symfony/Component/Debug/Exception/FlattenException.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Debug/Exception/FlattenException.php
+3Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111

1212
namespace Symfony\Component\Debug\Exception;
1313

14+
use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
1415
use Symfony\Component\HttpKernel\Exception\HttpExceptionInterface;
1516

1617
/**
@@ -41,6 +42,8 @@ public static function create(\Exception $exception, $statusCode = null, array $
4142
if ($exception instanceof HttpExceptionInterface) {
4243
$statusCode = $exception->getStatusCode();
4344
$headers = array_merge($headers, $exception->getHeaders());
45+
} elseif ($exception instanceof SuspiciousOperationException) {
46+
$statusCode = 400;
4447
}
4548

4649
if (null === $statusCode) {

‎src/Symfony/Component/Debug/Tests/Exception/FlattenExceptionTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Debug/Tests/Exception/FlattenExceptionTest.php
+6Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
namespace Symfony\Component\Debug\Tests\Exception;
1313

1414
use Symfony\Component\Debug\Exception\FlattenException;
15+
use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
1516
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
1617
use Symfony\Component\HttpKernel\Exception\MethodNotAllowedHttpException;
1718
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
@@ -78,6 +79,11 @@ public function testStatusCode()
7879

7980
$flattened = FlattenException::create(new UnsupportedMediaTypeHttpException());
8081
$this->assertEquals('415', $flattened->getStatusCode());
82+
83+
if (class_exists(SuspiciousOperationException::class)) {
84+
$flattened = FlattenException::create(new SuspiciousOperationException());
85+
$this->assertEquals('400', $flattened->getStatusCode());
86+
}
8187
}
8288

8389
public function testHeadersForHttpException()

‎src/Symfony/Component/HttpFoundation/Exception/SuspiciousOperationException.php

Copy file name to clipboard
+20Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <fabien@symfony.com>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
namespace Symfony\Component\HttpFoundation\Exception;
13+
14+
/**
15+
* Raised when a user has performed an operation that should be considered
16+
* suspicious from a security perspective.
17+
*/
18+
class SuspiciousOperationException extends \UnexpectedValueException
19+
{
20+
}

‎src/Symfony/Component/HttpFoundation/Request.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpFoundation/Request.php
+4-3Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
namespace Symfony\Component\HttpFoundation;
1313

1414
use Symfony\Component\HttpFoundation\Exception\ConflictingHeadersException;
15+
use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
1516
use Symfony\Component\HttpFoundation\Session\SessionInterface;
1617

1718
/**
@@ -1198,7 +1199,7 @@ public function isSecure()
11981199
*
11991200
* @return string
12001201
*
1201-
* @throws \UnexpectedValueException when the host name is invalid
1202+
* @throws SuspiciousOperationException when the host name is invalid
12021203
*/
12031204
public function getHost()
12041205
{
@@ -1220,7 +1221,7 @@ public function getHost()
12201221
// check that it does not contain forbidden characters (see RFC 952 and RFC 2181)
12211222
// use preg_replace() instead of preg_match() to prevent DoS attacks with long host names
12221223
if ($host && '' !== preg_replace('/(?:^\[)?[a-zA-Z0-9-:\]_]+\.?/', '', $host)) {
1223-
throw new \UnexpectedValueException(sprintf('Invalid Host "%s"', $host));
1224+
throw new SuspiciousOperationException(sprintf('Invalid Host "%s"', $host));
12241225
}
12251226

12261227
if (count(self::$trustedHostPatterns) > 0) {
@@ -1238,7 +1239,7 @@ public function getHost()
12381239
}
12391240
}
12401241

1241-
throw new \UnexpectedValueException(sprintf('Untrusted Host "%s"', $host));
1242+
throw new SuspiciousOperationException(sprintf('Untrusted Host "%s"', $host));
12421243
}
12431244

12441245
return $host;

‎src/Symfony/Component/HttpFoundation/Tests/RequestTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
+3-2Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111

1212
namespace Symfony\Component\HttpFoundation\Tests;
1313

14+
use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
1415
use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
1516
use Symfony\Component\HttpFoundation\Session\Session;
1617
use Symfony\Component\HttpFoundation\Request;
@@ -1871,7 +1872,7 @@ public function testTrustedHosts()
18711872
try {
18721873
$request->getHost();
18731874
$this->fail('Request::getHost() should throw an exception when host is not trusted.');
1874-
} catch (\UnexpectedValueException $e) {
1875+
} catch (SuspiciousOperationException $e) {
18751876
$this->assertEquals('Untrusted Host "evil.com"', $e->getMessage());
18761877
}
18771878

@@ -1935,7 +1936,7 @@ public function testHostValidity($host, $isValid, $expectedHost = null, $expecte
19351936
$this->assertSame($expectedPort, $request->getPort());
19361937
}
19371938
} else {
1938-
$this->setExpectedException('UnexpectedValueException', 'Invalid Host');
1939+
$this->setExpectedException(SuspiciousOperationException::class, 'Invalid Host');
19391940
$request->getHost();
19401941
}
19411942
}

‎src/Symfony/Component/HttpKernel/EventListener/RouterListener.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/EventListener/RouterListener.php
+6-1Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
namespace Symfony\Component\HttpKernel\EventListener;
1313

1414
use Psr\Log\LoggerInterface;
15+
use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
1516
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
1617
use Symfony\Component\HttpKernel\Event\FinishRequestEvent;
1718
use Symfony\Component\HttpKernel\KernelEvents;
@@ -68,7 +69,11 @@ public function __construct($matcher, RequestStack $requestStack, RequestContext
6869
private function setCurrentRequest(Request $request = null)
6970
{
7071
if (null !== $request) {
71-
$this->context->fromRequest($request);
72+
try {
73+
$this->context->fromRequest($request);
74+
} catch (SuspiciousOperationException $e) {
75+
// Do nothing.
76+
}
7277
}
7378
}
7479

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.