Skip to content

[HttpKernel] Don't use eval() to render ESI/SSI #50238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 5, 2023
Merged

[HttpKernel] Don't use eval() to render ESI/SSI #50238

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 6 additions & 10 deletions src/Symfony/Component/HttpKernel/HttpCache/Esi.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,10 @@ public function process(Request $request, Response $response)
$content = preg_replace('#<esi\:remove>.*?</esi\:remove>#s', '', $content);
$content = preg_replace('#<esi\:comment[^>]+>#s', '', $content);

static $cookie;
$cookie = hash('md5', $cookie ?? $cookie = random_bytes(16), true);
$boundary = base64_encode($cookie);
$chunks = preg_split('#<esi\:include\s+(.*?)\s*(?:/|</esi\:include)>#', $content, -1, \PREG_SPLIT_DELIM_CAPTURE);
$chunks[0] = str_replace($this->phpEscapeMap[0], $this->phpEscapeMap[1], $chunks[0]);

$i = 1;
while (isset($chunks[$i])) {
Expand All @@ -95,16 +97,10 @@ public function process(Request $request, Response $response)
throw new \RuntimeException('Unable to process an ESI tag without a "src" attribute.');
}

$chunks[$i] = sprintf('<?php echo $this->surrogate->handle($this, %s, %s, %s) ?>'."\n",
var_export($options['src'], true),
var_export($options['alt'] ?? '', true),
isset($options['onerror']) && 'continue' === $options['onerror'] ? 'true' : 'false'
);
++$i;
$chunks[$i] = str_replace($this->phpEscapeMap[0], $this->phpEscapeMap[1], $chunks[$i]);
++$i;
$chunks[$i] = $boundary.$options['src']."\n".($options['alt'] ?? '')."\n".('continue' === ($options['onerror'] ?? ''))."\n";
$i += 2;
}
$content = implode('', $chunks);
$content = $boundary.implode('', $chunks).$boundary;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of putting the boundaries around the content of the returned response, which force the caller to be aware of it to remove it (even if the content has no ESI tag), we might put the boundary in a header X-Body-Boundary (that the caller can still remove), which might make the removal easier

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The caller has to be aware of the content in any cases.
Putting it before+after allows a quick check to ensure it's correct in HttpCache:
if (substr($content, -24) === $boundary = substr($content, 0, 24)) {


$response->setContent($content);
$response->headers->set('X-Body-Eval', 'ESI');
Expand Down
16 changes: 15 additions & 1 deletion src/Symfony/Component/HttpKernel/HttpCache/HttpCache.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -636,7 +636,21 @@ private function restoreResponseBody(Request $request, Response $response)
if ($response->headers->has('X-Body-File')) {
include $response->headers->get('X-Body-File');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why still have a case relying on including a file here. Is this something we should also try to change ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or maybe combining X-Body-File and X-Body-Eval is an impossible case ? And if we stop using PHP code, wouldn't we break this case that expect to include the file to evaluate it ?

Copy link
Member Author

@nicolas-grekas nicolas-grekas May 5, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no need to change this: the required file cannot come from any user input, and we do validate the name of the file, so that arbitrary file inclusion is not possible.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, from my understanding of re-reading this code, this X-Body-File corresponds to a file written in the cache store. If we stop using PHP to implement the ESI logic, we might need to process the boundaries there instead of evaluating the file.

Do we have functional tests covering the case of a processing of ESI tags alongside a cached response of HttpCache ? Because I suspect that this is the case that is now broken (we would write the cache with boundaries instead of PHP code but read it as if it was PHP code).

} else {
eval('; ?>'.$response->getContent().'<?php ;');
$content = $response->getContent();

if (substr($content, -24) === $boundary = substr($content, 0, 24)) {
$j = strpos($content, $boundary, 24);
echo substr($content, 24, $j - 24);
$i = $j + 24;

while (false !== $j = strpos($content, $boundary, $i)) {
[$uri, $alt, $ignoreErrors, $part] = explode("\n", substr($content, $i, $j - $i), 4);
$i = $j + 24;

echo $this->surrogate->handle($this, $uri, $alt, $ignoreErrors);
echo $part;
}
}
}

$response->setContent(ob_get_clean());
Expand Down
14 changes: 6 additions & 8 deletions src/Symfony/Component/HttpKernel/HttpCache/Ssi.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,10 @@ public function process(Request $request, Response $response)
// we don't use a proper XML parser here as we can have SSI tags in a plain text response
$content = $response->getContent();

static $cookie;
$cookie = hash('md5', $cookie ?? $cookie = random_bytes(16), true);
$boundary = base64_encode($cookie);
$chunks = preg_split('#<!--\#include\s+(.*?)\s*-->#', $content, -1, \PREG_SPLIT_DELIM_CAPTURE);
$chunks[0] = str_replace($this->phpEscapeMap[0], $this->phpEscapeMap[1], $chunks[0]);

$i = 1;
while (isset($chunks[$i])) {
Expand All @@ -80,14 +82,10 @@ public function process(Request $request, Response $response)
throw new \RuntimeException('Unable to process an SSI tag without a "virtual" attribute.');
}

$chunks[$i] = sprintf('<?php echo $this->surrogate->handle($this, %s, \'\', false) ?>'."\n",
var_export($options['virtual'], true)
);
++$i;
$chunks[$i] = str_replace($this->phpEscapeMap[0], $this->phpEscapeMap[1], $chunks[$i]);
++$i;
$chunks[$i] = $boundary.$options['virtual']."\n\n\n";
$i += 2;
}
$content = implode('', $chunks);
$content = $boundary.implode('', $chunks).$boundary;

$response->setContent($content);
$response->headers->set('X-Body-Eval', 'SSI');
Expand Down
19 changes: 12 additions & 7 deletions src/Symfony/Component/HttpKernel/Tests/HttpCache/EsiTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ public function testMultilineEsiRemoveTagsAreRemoved()
$response = new Response('<esi:remove> <a href="http://www.example.com">www.example.com</a> </esi:remove> Keep this'."<esi:remove>\n <a>www.example.com</a> </esi:remove> And this");
$this->assertSame($response, $esi->process($request, $response));

$this->assertEquals(' Keep this And this', $response->getContent());
$this->assertEquals(' Keep this And this', substr($response->getContent(), 24, -24));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a BC break not suitable in a patch release as projects might use the Esi class directly.

Copy link
Member Author

@nicolas-grekas nicolas-grekas May 5, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a security-related fix, I'd better break existing implems that do that so that they can adjust. (I also doubt this will hit anyone in practice 🤞 )

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

then the boundary length should at least be a public constant, so that they don't have to hardcode this 24 everywhere

}

public function testCommentTagsAreRemoved()
Expand All @@ -113,7 +113,7 @@ public function testCommentTagsAreRemoved()
$response = new Response('<esi:comment text="some comment &gt;" /> Keep this');
$this->assertSame($response, $esi->process($request, $response));

$this->assertEquals(' Keep this', $response->getContent());
$this->assertEquals(' Keep this', substr($response->getContent(), 24, -24));
}

public function testProcess()
Expand All @@ -124,23 +124,27 @@ public function testProcess()
$response = new Response('foo <esi:comment text="some comment" /><esi:include src="..." alt="alt" onerror="continue" />');
$this->assertSame($response, $esi->process($request, $response));

$this->assertEquals('foo <?php echo $this->surrogate->handle($this, \'...\', \'alt\', true) ?>'."\n", $response->getContent());
$content = explode(substr($response->getContent(), 0, 24), $response->getContent());
$this->assertSame(['', 'foo ', "...\nalt\n1\n", ''], $content);
$this->assertEquals('ESI', $response->headers->get('x-body-eval'));

$response = new Response('foo <esi:comment text="some comment" /><esi:include src="foo\'" alt="bar\'" onerror="continue" />');
$this->assertSame($response, $esi->process($request, $response));

$this->assertEquals('foo <?php echo $this->surrogate->handle($this, \'foo\\\'\', \'bar\\\'\', true) ?>'."\n", $response->getContent());
$content = explode(substr($response->getContent(), 0, 24), $response->getContent());
$this->assertSame(['', 'foo ', "foo'\nbar'\n1\n", ''], $content);

$response = new Response('foo <esi:include src="..." />');
$this->assertSame($response, $esi->process($request, $response));

$this->assertEquals('foo <?php echo $this->surrogate->handle($this, \'...\', \'\', false) ?>'."\n", $response->getContent());
$content = explode(substr($response->getContent(), 0, 24), $response->getContent());
$this->assertSame(['', 'foo ', "...\n\n\n", ''], $content);

$response = new Response('foo <esi:include src="..."></esi:include>');
$this->assertSame($response, $esi->process($request, $response));

$this->assertEquals('foo <?php echo $this->surrogate->handle($this, \'...\', \'\', false) ?>'."\n", $response->getContent());
$content = explode(substr($response->getContent(), 0, 24), $response->getContent());
$this->assertSame(['', 'foo ', "...\n\n\n", ''], $content);
}

public function testProcessEscapesPhpTags()
Expand All @@ -151,7 +155,8 @@ public function testProcessEscapesPhpTags()
$response = new Response('<?php <? <% <script language=php>');
$this->assertSame($response, $esi->process($request, $response));

$this->assertEquals('<?php echo "<?"; ?>php <?php echo "<?"; ?> <?php echo "<%"; ?> <?php echo "<s"; ?>cript language=php>', $response->getContent());
$content = explode(substr($response->getContent(), 0, 24), $response->getContent());
$this->assertSame(['', '<?php <? <% <script language=php>', ''], $content);
}

public function testProcessWhenNoSrcInAnEsi()
Expand Down
9 changes: 6 additions & 3 deletions src/Symfony/Component/HttpKernel/Tests/HttpCache/SsiTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,13 +101,15 @@ public function testProcess()
$response = new Response('foo <!--#include virtual="..." -->');
$ssi->process($request, $response);

$this->assertEquals('foo <?php echo $this->surrogate->handle($this, \'...\', \'\', false) ?>'."\n", $response->getContent());
$content = explode(substr($response->getContent(), 0, 24), $response->getContent());
$this->assertSame(['', 'foo ', "...\n\n\n", ''], $content);
$this->assertEquals('SSI', $response->headers->get('x-body-eval'));

$response = new Response('foo <!--#include virtual="foo\'" -->');
$ssi->process($request, $response);

$this->assertEquals("foo <?php echo \$this->surrogate->handle(\$this, 'foo\\'', '', false) ?>\n", $response->getContent());
$content = explode(substr($response->getContent(), 0, 24), $response->getContent());
$this->assertSame(['', 'foo ', "foo'\n\n\n", ''], $content);
}

public function testProcessEscapesPhpTags()
Expand All @@ -118,7 +120,8 @@ public function testProcessEscapesPhpTags()
$response = new Response('<?php <? <% <script language=php>');
$ssi->process($request, $response);

$this->assertEquals('<?php echo "<?"; ?>php <?php echo "<?"; ?> <?php echo "<%"; ?> <?php echo "<s"; ?>cript language=php>', $response->getContent());
$content = explode(substr($response->getContent(), 0, 24), $response->getContent());
$this->assertSame(['', '<?php <? <% <script language=php>', ''], $content);
}

public function testProcessWhenNoSrcInAnSsi()
Expand Down