8000 TypeError when Forwarded header is missing · Issue #42300 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

TypeError when Forwarded header is missing #42300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
infomaniac50 opened this issue Jul 28, 2021 · 2 comments
Closed

TypeError when Forwarded header is missing #42300

infomaniac50 opened this issue Jul 28, 2021 · 2 comments
Labels
Bug Security Status: Needs Review

Comments

@infomaniac50
Copy link

Symfony version(s) affected: 5.3.5

Stack Trace

TypeError:
Argument 1 passed to str_contains() must be of the type string, null given, called in [REDACTED]/vendor/symfony/security-http/Firewall/ChannelListener.php on line 52

  at vendor/symfony/polyfill-php80/bootstrap.php:29
  at str_contains(null, 'proto=https')
     (vendor/symfony/security-http/Firewall/ChannelListener.php:52)
  at Symfony\Component\Security\Http\Firewall\ChannelListener->supports(object(Request))
     (vendor/symfony/security-bundle/Debug/WrappedLazyListener.php:38)
  at Symfony\Bundle\SecurityBundle\Debug\WrappedLazyListener->supports(object(Request))
     (vendor/symfony/security-bundle/Security/LazyFirewallContext.php:52)
  at Symfony\Bundle\SecurityBundle\Security\LazyFirewallContext->__invoke(object(RequestEvent))
     (vendor/symfony/security-bundle/Debug/TraceableFirewallListener.php:59)
  at Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener->callListeners(object(RequestEvent), object(Generator))
     (vendor/symfony/security-http/Firewall.php:86)
  at Symfony\Component\Security\Http\Firewall->onKernelRequest(object(RequestEvent), 'kernel.request', object(TraceableEventDispatcher))
     (vendor/symfony/event-dispatcher/Debug/WrappedListener.php:117)
  at Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke(object(RequestEvent), 'kernel.request', object(TraceableEventDispatcher))
     (vendor/symfony/event-dispatcher/EventDispatcher.php:230)
  at Symfony\Component\EventDispatcher\EventDispatcher->callListeners(array(object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener)), 'kernel.request', object(RequestEvent))
     (vendor/symfony/event-dispatcher/EventDispatcher.php:59)
  at Symfony\Component\EventDispatcher\EventDispatcher->dispatch(object(RequestEvent), 'kernel.request')
     (vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php:151)
  at Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch(object(RequestEvent), 'kernel.request')
     (vendor/symfony/http-kernel/HttpKernel.php:133)
  at Symfony\Component\HttpKernel\HttpKernel->handleRaw(object(Request), 1)
     (vendor/symfony/http-kernel/HttpKernel.php:79)
  at Symfony\Component\HttpKernel\HttpKernel->handle(object(Request), 1, true)
     (vendor/symfony/http-kernel/Kernel.php:199)
  at Symfony\Component\HttpKernel\Kernel->handle(object(Request))
     (vendor/symfony/runtime/Runner/Symfony/HttpKernelRunner.php:37)
  at Symfony\Component\Runtime\Runner\Symfony\HttpKernelRunner->run()
     (vendor/autoload_runtime.php:35)
  at require_once('[REDACTED]/vendor/autoload_runtime.php')
     (public/index.php:5)

Description
The PHP 8 polyfill for str_contains does not accept null in it's arguments. This problem has shown up in more than one place. e.g. #42290 and in

symfony/src/Symfony/Component/Security/Http/Firewall/ChannelListener.php

Line 52 in 534e1ed

} elseif (str_contains($request->headers->get('Forwarded'), 'proto=https')) {

DumpDataCollector.php avoids the issue by checking for the existence of the header.

symfony/src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php

Line 118 in 61ecf9b

|| ($response->headers->has('Content-Type') && !str_contains($response->headers->get('Content-Type'), 'html'))

The solution is probably the same as #42290.
@bobvandevijver
Copy link
Contributor

@fabpot Shouldn't the same fix for this also be included in todays release?
(even though the polyfill update should already fix this: https://github.com/symfony/polyfill/releases/tag/v1.23.1)

@fabpot
Copy link
Member
fabpot commented Jul 29, 2021

Everything should be ok now.

@fabpot fabpot closed this as completed Jul 29, 2021
This was referenced Jul 29, 2021
Merged
Merged
fabpot added a commit that referenced this issue Jul 30, 2021
@fabpot
minor #42316 [Security] Fix str_contains type mismatch in ChannelList…
af897a1 
…ener (bobvandevijver)

This PR was squashed before being merged into the 4.4 branch.

Discussion
----------

[Security] Fix str_contains type mismatch in ChannelListener

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #42300, Part of #41552
| License       | MIT
| Doc PR        | -

Also use a default empty string in the `ChannelListener` before using `str_contains`.

Commits
-------

28ae62d [Security] Fix str_contains type mismatch in ChannelListener
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fabpot @infomaniac50 @bobvandevijver @xabbuh @carsonbot
0