NotificationsYou must be signed in to change notification settings
Fork9.7k
Star30.8k

Commitcd33ed0

committed

[WebProfilerBundle] Fix CORS ajax security issues

1 parenteb23f05 commitcd33ed0Copy full SHA for cd33ed0

File tree

6 files changed

+21

-8

lines changed

src/Symfony/Bundle/WebProfilerBundle
- DependencyInjection
  - Configuration.php
  - WebProfilerExtension.php
- EventListener
  - WebDebugToolbarListener.php
- Resources
  - config
    - toolbar.xml
  - views/Profiler
    - base_js.html.twig
- Tests/DependencyInjection
  - ConfigurationTest.php

6 files changed

+21

-8

lines changed

`‎src/Symfony/Bundle/WebProfilerBundle/DependencyInjection/Configuration.php‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,7 @@ public function getConfigTreeBuilder()`
`45`	`45`	`->end()`
`46`	`46`	`->end()`
`47`	`47`	`->booleanNode('intercept_redirects')->defaultFalse()->end()`
	`48`	`+ ->booleanNode('enable_cors')->defaultFalse()->end()`
`48`	`49`	`->scalarNode('excluded_ajax_paths')->defaultValue('^/(app(_[\\w]+)?\\.php/)?_wdt')->end()`
`49`	`50`	`->end()`
`50`	`51`	`;`

`‎src/Symfony/Bundle/WebProfilerBundle/DependencyInjection/WebProfilerExtension.php‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ public function load(array $configs, ContainerBuilder $container)`
`49`	`49`	`if ($config['toolbar'] \|\|$config['intercept_redirects']) {`
`50`	`50`	`$loader->load('toolbar.xml');`
`51`	`51`	`$container->getDefinition('web_profiler.debug_toolbar')->replaceArgument(5,$config['excluded_ajax_paths']);`
	`52`	`+$container->getDefinition('web_profiler.debug_toolbar')->replaceArgument(6,$config['enable_cors']);`
`52`	`53`	`$container->setParameter('web_profiler.debug_toolbar.intercept_redirects',$config['intercept_redirects']);`
`53`	`54`	`$container->setParameter('web_profiler.debug_toolbar.mode',$config['toolbar'] ? WebDebugToolbarListener::ENABLED : WebDebugToolbarListener::DISABLED);`
`54`	`55`	`}`

`‎src/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.php‎`

Lines changed: 4 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -40,15 +40,17 @@ class WebDebugToolbarListener implements EventSubscriberInterface`
`40`	`40`	`protected$mode;`
`41`	`41`	`protected$position;`
`42`	`42`	`protected$excludedAjaxPaths;`
	`43`	`+protected$enableCors;`
`43`	`44`
`44`		`-publicfunction__construct(\Twig_Environment$twig,$interceptRedirects =false,$mode =self::ENABLED,$position ='bottom',UrlGeneratorInterface$urlGenerator =null,$excludedAjaxPaths ='^/bundles\|^/_wdt')`
	`45`	`+publicfunction__construct(\Twig_Environment$twig,$interceptRedirects =false,$mode =self::ENABLED,$position ='bottom',UrlGeneratorInterface$urlGenerator =null,$excludedAjaxPaths ='^/bundles\|^/_wdt',$enableCors =false)`
`45`	`46`	`{`
`46`	`47`	`$this->twig =$twig;`
`47`	`48`	`$this->urlGenerator =$urlGenerator;`
`48`	`49`	`$this->interceptRedirects = (bool)$interceptRedirects;`
`49`	`50`	`$this->mode = (int)$mode;`
`50`	`51`	`$this->position =$position;`
`51`	`52`	`$this->excludedAjaxPaths =$excludedAjaxPaths;`
	`53`	`+$this->enableCors =$enableCors;`
`52`	`54`	`}`
`53`	`55`
`54`	`56`	`publicfunctionisEnabled()`
`@@ -123,6 +125,7 @@ protected function injectToolbar(Response $response, Request $request)`
`123`	`125`	`'excluded_ajax_paths' =>$this->excludedAjaxPaths,`
`124`	`126`	`'token' =>$response->headers->get('X-Debug-Token'),`
`125`	`127`	`'request' =>$request,`
	`128`	`+'enable_cors' =>$this->enableCors,`
`126`	`129`	`)`
`127`	`130`	`))."\n";`
`128`	`131`	`$content =substr($content,0,$pos).$toolbar.substr($content,$pos);`

`‎src/Symfony/Bundle/WebProfilerBundle/Resources/config/toolbar.xml‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@`
`17`	`17`	`<argument>%web_profiler.debug_toolbar.position%</argument>`
`18`	`18`	`<argumenttype="service"id="router"on-invalid="ignore" />`
`19`	`19`	`<argument /><!-- paths that should be excluded from the AJAX requests shown in the toolbar-->`
	`20`	`+ <argument /><!-- enable CORS AJAX requests shown in the toolbar-->`
`20`	`21`	`</service>`
`21`	`22`	`</services>`
`22`	`23`	`</container>`

`‎src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/base_js.html.twig‎`

Lines changed: 7 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -208,12 +208,15 @@`
`208`	`208`	`{%if excluded_ajax_paths is defined%}`
`209`	`209`	`if (window.XMLHttpRequest&&XMLHttpRequest.prototype.addEventListener) {`
`210`	`210`	`var proxied=XMLHttpRequest.prototype.open;`
	`211`	`+var enable_cors= {{ enable_cors?'true':'false' }};`
`211`	`212`
`212`	`213`	`XMLHttpRequest.prototype.open=function(method,url,async,user,pass) {`
`213`	`214`	`varself=this;`
`214`	`215`
`215`	`216`	`/* prevent logging AJAX calls to static and inline files, like templates*/`
`216`	`217`	`var path= url;`
	`218`	`+var is_cors_request=false;`
	`219`	`+`
`217`	`220`	`if (url.substr(0,1)==='/') {`
`218`	`221`	`if (0===url.indexOf('{{ request.basePath\|e('js') }}')) {`
`219`	`222`	`path=url.substr({{request.basePath\|length }});`
`@@ -222,8 +225,11 @@`
`222`	`225`	`elseif (0===url.indexOf('{{ (request.schemeAndHttpHost ~ request.basePath)\|e('js') }}')) {`
`223`	`226`	`path=url.substr({{ (request.schemeAndHttpHost~request.basePath)\|length }});`
`224`	`227`	`}`
	`228`	`+elseif (!enable_cors) {`
	`229`	`+ is_cors_request=true;`
	`230`	`+ }`
`225`	`231`
`226`		`-if (!path.match(newRegExp({{ excluded_ajax_paths\|json_encode\|raw }}))) {`
	`232`	`+if ((!is_cors_request\|\| enable_cors)&&!path.match(newRegExp({{ excluded_ajax_paths\|json_encode\|raw }}))) {`
`227`	`233`	`var stackElement= {`
`228`	`234`	`loading:true,`
`229`	`235`	`error:false,`

`‎src/Symfony/Bundle/WebProfilerBundle/Tests/DependencyInjection/ConfigurationTest.php‎`

Lines changed: 7 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,12 +31,13 @@ public function testConfigTree($options, $results)`
`31`	`31`	`publicfunctiongetDebugModes()`
`32`	`32`	`{`
`33`	`33`	`returnarray(`
`34`		`-array(array(),array('intercept_redirects' =>false,'toolbar' =>false,'position' =>'bottom','excluded_ajax_paths' =>'^/(app(_[\\w]+)?\\.php/)?_wdt')),`
`35`		`-array(array('intercept_redirects' =>true),array('intercept_redirects' =>true,'toolbar' =>false,'position' =>'bottom','excluded_ajax_paths' =>'^/(app(_[\\w]+)?\\.php/)?_wdt')),`
`36`		`-array(array('intercept_redirects' =>false),array('intercept_redirects' =>false,'toolbar' =>false,'position' =>'bottom','excluded_ajax_paths' =>'^/(app(_[\\w]+)?\\.php/)?_wdt')),`
`37`		`-array(array('toolbar' =>true),array('intercept_redirects' =>false,'toolbar' =>true,'position' =>'bottom','excluded_ajax_paths' =>'^/(app(_[\\w]+)?\\.php/)?_wdt')),`
`38`		`-array(array('position' =>'top'),array('intercept_redirects' =>false,'toolbar' =>false,'position' =>'top','excluded_ajax_paths' =>'^/(app(_[\\w]+)?\\.php/)?_wdt')),`
`39`		`-array(array('excluded_ajax_paths' =>'test'),array('intercept_redirects' =>false,'toolbar' =>false,'position' =>'bottom','excluded_ajax_paths' =>'test')),`
	`34`	`+array(array(),array('intercept_redirects' =>false,'toolbar' =>false,'position' =>'bottom','excluded_ajax_paths' =>'^/(app(_[\\w]+)?\\.php/)?_wdt','enable_cors' =>false)),`
	`35`	`+array(array('intercept_redirects' =>true),array('intercept_redirects' =>true,'toolbar' =>false,'position' =>'bottom','excluded_ajax_paths' =>'^/(app(_[\\w]+)?\\.php/)?_wdt','enable_cors' =>false)),`
	`36`	`+array(array('intercept_redirects' =>false),array('intercept_redirects' =>false,'toolbar' =>false,'position' =>'bottom','excluded_ajax_paths' =>'^/(app(_[\\w]+)?\\.php/)?_wdt','enable_cors' =>false)),`
	`37`	`+array(array('toolbar' =>true),array('intercept_redirects' =>false,'toolbar' =>true,'position' =>'bottom','excluded_ajax_paths' =>'^/(app(_[\\w]+)?\\.php/)?_wdt','enable_cors' =>false)),`
	`38`	`+array(array('position' =>'top'),array('intercept_redirects' =>false,'toolbar' =>false,'position' =>'top','excluded_ajax_paths' =>'^/(app(_[\\w]+)?\\.php/)?_wdt','enable_cors' =>false)),`
	`39`	`+array(array('excluded_ajax_paths' =>'test'),array('intercept_redirects' =>false,'toolbar' =>false,'position' =>'bottom','excluded_ajax_paths' =>'test','enable_cors' =>false)),`
	`40`	`+array(array('enable_cors' =>true),array('intercept_redirects' =>false,'toolbar' =>false,'position' =>'bottom','excluded_ajax_paths' =>'^/(app(_[\\w]+)?\\.php/)?_wdt','enable_cors' =>true)),`
`40`	`41`	`);`
`41`	`42`	`}`
`42`	`43`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commitcd33ed0

File tree

6 files changed

6 files changed

`‎src/Symfony/Bundle/WebProfilerBundle/DependencyInjection/Configuration.php‎`

`‎src/Symfony/Bundle/WebProfilerBundle/DependencyInjection/WebProfilerExtension.php‎`

`‎src/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.php‎`

`‎src/Symfony/Bundle/WebProfilerBundle/Resources/config/toolbar.xml‎`

`‎src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/base_js.html.twig‎`

`‎src/Symfony/Bundle/WebProfilerBundle/Tests/DependencyInjection/ConfigurationTest.php‎`

0 commit comments