security #cve-2023-46735 [Webhook] Remove user-submitted type from HTTP response (nicolas-grekas)

nicolas-grekas · nicolas-grekas · commit c329f2dcd906 · 2023-11-09T19:28:06.000+01:00
This PR was merged into the 6.3 branch.
diff --git a/src/Symfony/Component/Webhook/Controller/WebhookController.php b/src/Symfony/Component/Webhook/Controller/WebhookController.php
@@ -38,7 +38,7 @@ public function __construct(
     public function handle(string $type, Request $request): Response
     {
         if (!isset($this->parsers[$type])) {
-            return new Response(sprintf('No parser found for webhook of type "%s".', $type), 404);
+            return new Response('No webhook parser found for the type given in the URL.', 404, ['Content-Type' => 'text/plain']);
         }
         /** @var RequestParserInterface $parser */
         $parser = $this->parsers[$type]['parser'];

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ public function __construct(`
`38`	`38`	`public function handle(string $type, Request $request): Response`
`39`	`39`	`{`
`40`	`40`	`if (!isset($this->parsers[$type])) {`
`41`		`- return new Response(sprintf('No parser found for webhook of type "%s".', $type), 404);`
	`41`	`+ return new Response('No webhook parser found for the type given in the URL.', 404, ['Content-Type' => 'text/plain']);`
`42`	`42`	`}`
`43`	`43`	`/** @var RequestParserInterface $parser */`
`44`	`44`	`$parser = $this->parsers[$type]['parser'];`