Skip to content
Snippets Groups Projects
Verified Commit 208bb878 authored by Lee Rowlands's avatar Lee Rowlands
Browse files

Issue #3214208 by gapple, Akhil Babu, larowlan, smustgrave:... 

Issue #3214208 by gapple, Akhil Babu, larowlan, smustgrave: FinishResponseSubscriber could create duplicate headers
parent 6edfeb38
No related branches found
No related tags found
32 merge requests!8528Issue #3456871 by Tim Bozeman: Support NULL services,!8323Fix source code editing and in place front page site studio editing.,!6278Issue #3187770 by godotislate, smustgrave, catch, quietone: Views Rendered...,!3878Removed unused condition head title for views,!38582585169-10.1.x,!3818Issue #2140179: $entity->original gets stale between updates,!3742Issue #3328429: Create item list field formatter for displaying ordered and unordered lists,!3731Claro: role=button on status report items,!3668Resolve #3347842 "Deprecate the trusted",!3651Issue #3347736: Create new SDC component for Olivero (header-search),!3531Issue #3336994: StringFormatter always displays links to entity even if the user in context does not have access,!3355Issue #3209129: Scrolling problems when adding a block via layout builder,!3226Issue #2987537: Custom menu link entity type should not declare "bundle" entity key,!3154Fixes #2987987 - CSRF token validation broken on routes with optional parameters.,!3147Issue #3328457: Replace most substr($a, $i) where $i is negative with str_ends_with(),!3146Issue #3328456: Replace substr($a, 0, $i) with str_starts_with(),!3133core/modules/system/css/components/hidden.module.css,!2964Issue #2865710 : Dependencies from only one instance of a widget are used in display modes,!2812Issue #3312049: [Followup] Fix Drupal.Commenting.FunctionComment.MissingReturnType returns for NULL,!2614Issue #2981326: Replace non-test usages of \Drupal::logger() with IoC injection,!2378Issue #2875033: Optimize joins and table selection in SQL entity query implementation,!2334Issue #3228209: Add hasRole() method to AccountInterface,!2062Issue #3246454: Add weekly granularity to views date sort,!1105Issue #3025039: New non translatable field on translatable content throws error,!1073issue #3191727: Focus states on mobile second level navigation items fixed,!10223132456: Fix issue where views instances are emptied before an ajax request is complete,!877Issue #2708101: Default value for link text is not saved,!844Resolve #3036010 "Updaters",!617Issue #3043725: Provide a Entity Handler for user cancelation,!579Issue #2230909: Simple decimals fail to pass validation,!560Move callback classRemove outside of the loop,!555Issue #3202493
Pipeline #69278 canceled
Stage: 🏗️ Build
Stage: 🪄 Lint
Stage: 🗜️ Test
Hide whitespace changes
Inline Side-by-side
core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
+ 4
2
View file @ 208bb878
......@@ -123,8 +123,10 @@ public function onRespond(ResponseEvent $event) {
// different from the declared content-type, since that can lead to
// XSS and other vulnerabilities.
// https://owasp.org/www-project-secure-headers
$response->headers->set('X-Content-Type-Options', 'nosniff', FALSE);
$response->headers->set('X-Frame-Options', 'SAMEORIGIN', FALSE);
$response->headers->set('X-Content-Type-Options', 'nosniff');
if (!$response->headers->has('X-Frame-Options')) {
$response->headers->set('X-Frame-Options', 'SAMEORIGIN');
}
// If the current response isn't an implementation of the
// CacheableResponseInterface, we assume that a Response is either
......
core/tests/Drupal/Tests/Core/EventSubscriber/FinishResponseSubscriberTest.php 0 → 100644
+ 133
0
View file @ 208bb878
<?php
namespace Drupal\Tests\Core\EventSubscriber;
use Drupal\Core\Cache\Context\CacheContextsManager;
use Drupal\Core\EventSubscriber\FinishResponseSubscriber;
use Drupal\Core\Language\Language;
use Drupal\Core\Language\LanguageManagerInterface;
use Drupal\Core\PageCache\RequestPolicyInterface;
use Drupal\Core\PageCache\ResponsePolicyInterface;
use Drupal\Tests\UnitTestCase;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\ResponseHeaderBag;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
use Symfony\Component\HttpKernel\HttpKernelInterface;
/**
* @coversDefaultClass \Drupal\Core\EventSubscriber\FinishResponseSubscriber
* @group EventSubscriber
*/
class FinishResponseSubscriberTest extends UnitTestCase {
/**
* The mock Kernel.
*
* @var \Symfony\Component\HttpKernel\HttpKernelInterface|\PHPUnit\Framework\MockObject\MockObject
*/
protected $kernel;
/**
* The mock language manager.
*
* @var \Drupal\Core\Language\LanguageManagerInterface|\PHPUnit\Framework\MockObject\MockObject
*/
protected $languageManager;
/**
* The mock request policy.
*
* @var \Drupal\Core\PageCache\RequestPolicyInterface|\PHPUnit\Framework\MockObject\MockObject
*/
protected $requestPolicy;
/**
* The mock response policy.
*
* @var \Drupal\Core\PageCache\ResponsePolicyInterface|\PHPUnit\Framework\MockObject\MockObject
*/
protected $responsePolicy;
/**
* The mock cache contexts manager.
*
* @var \Drupal\Core\Cache\Context\CacheContextsManager|\PHPUnit\Framework\MockObject\MockObject
*/
protected $cacheContextsManager;
protected function setUp(): void {
parent::setUp();
$this->kernel = $this->createMock(HttpKernelInterface::class);
$this->languageManager = $this->createMock(LanguageManagerInterface::class);
$this->requestPolicy = $this->createMock(RequestPolicyInterface::class);
$this->responsePolicy = $this->createMock(ResponsePolicyInterface::class);
$this->cacheContextsManager = $this->createMock(CacheContextsManager::class);
}
/**
* Finish subscriber should set some default header values.
*
* @covers ::onRespond
*/
public function testDefaultHeaders() {
$finishSubscriber = new FinishResponseSubscriber(
$this->languageManager,
$this->getConfigFactoryStub(),
$this->requestPolicy,
$this->responsePolicy,
$this->cacheContextsManager,
FALSE
);
$this->languageManager->method('getCurrentLanguage')
->willReturn(new Language(['id' => 'en']));
$request = $this->createMock(Request::class);
$response = $this->createMock(Response::class);
$response->headers = new ResponseHeaderBag();
$event = new ResponseEvent($this->kernel, $request, HttpKernelInterface::MAIN_REQUEST, $response);
$finishSubscriber->onRespond($event);
$this->assertEquals(['en'], $response->headers->all('Content-language'));
$this->assertEquals(['nosniff'], $response->headers->all('X-Content-Type-Options'));
$this->assertEquals(['SAMEORIGIN'], $response->headers->all('X-Frame-Options'));
}
/**
* Finish subscriber should not overwrite existing header values.
*
* @covers ::onRespond
*/
public function testExistingHeaders() {
$finishSubscriber = new FinishResponseSubscriber(
$this->languageManager,
$this->getConfigFactoryStub(),
$this->requestPolicy,
$this->responsePolicy,
$this->cacheContextsManager,
FALSE
);
$this->languageManager->method('getCurrentLanguage')
->willReturn(new Language(['id' => 'en']));
$request = $this->createMock(Request::class);
$response = $this->createMock(Response::class);
$response->headers = new ResponseHeaderBag();
$event = new ResponseEvent($this->kernel, $request, HttpKernelInterface::MAIN_REQUEST, $response);
$response->headers->set('X-Content-Type-Options', 'foo');
$response->headers->set('X-Frame-Options', 'DENY');
$finishSubscriber->onRespond($event);
$this->assertEquals(['en'], $response->headers->all('Content-language'));
// 'X-Content-Type-Options' will be unconditionally set by the core.
$this->assertEquals(['nosniff'], $response->headers->all('X-Content-Type-Options'));
$this->assertEquals(['DENY'], $response->headers->all('X-Frame-Options'));
}
}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment