Last active
March 15, 2022 11:23
-
-
Save lchrusciel/a4348756fa855f20c26a98e9859afc09 to your computer and use it in GitHub Desktop.
Exposure of sensitive information by using the back button after logging out security bug fix
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// src/EventListener/CacheControlSubscriber.php | |
declare(strict_types=1); | |
namespace App\EventListener; | |
use App\SectionResolver\ShopCustomerAccountSubSection; | |
use Sylius\Bundle\AdminBundle\SectionResolver\AdminSection; | |
use Sylius\Bundle\CoreBundle\SectionResolver\SectionProviderInterface; | |
use Symfony\Component\EventDispatcher\EventSubscriberInterface; | |
use Symfony\Component\HttpKernel\Event\ResponseEvent; | |
use Symfony\Component\HttpKernel\KernelEvents; | |
final class CacheControlSubscriber implements EventSubscriberInterface | |
{ | |
/** @var SectionProviderInterface */ | |
private $sectionProvider; | |
public function __construct(SectionProviderInterface $sectionProvider) | |
{ | |
$this->sectionProvider = $sectionProvider; | |
} | |
public static function getSubscribedEvents(): array | |
{ | |
return [ | |
KernelEvents::RESPONSE => 'setCacheControlDirectives', | |
]; | |
} | |
public function setCacheControlDirectives(ResponseEvent $event): void | |
{ | |
if ( | |
!$this->sectionProvider->getSection() instanceof AdminSection && | |
!$this->sectionProvider->getSection() instanceof ShopCustomerAccountSubSection | |
) { | |
return; | |
} | |
$response = $event->getResponse(); | |
$response->headers->addCacheControlDirective('no-cache', true); | |
$response->headers->addCacheControlDirective('max-age', '0'); | |
$response->headers->addCacheControlDirective('must-revalidate', true); | |
$response->headers->addCacheControlDirective('no-store', true); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# config/services.yaml | |
services: | |
# ... | |
App\EventListener\CacheControlSubscriber: | |
arguments: ['@sylius.section_resolver.uri_based_section_resolver'] | |
tags: | |
- { name: kernel.event_subscriber, event: kernel.response } | |
# required if you are backporting ShopUriBasedSectionResolver | |
sylius.section_resolver.shop_uri_based_section_resolver: | |
class: App\SectionResolver\ShopUriBasedSectionResolver | |
tags: | |
- { name: sylius.uri_based_section_resolver, priority: -10 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// src/SectionResolver/ShopCustomerAccountSubSection.php | |
declare(strict_types=1); | |
namespace App\SectionResolver; | |
use Sylius\Bundle\ShopBundle\SectionResolver\ShopSection; | |
class ShopCustomerAccountSubSection extends ShopSection | |
{ | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// src/SectionResolver/ShopUriBasedSectionResolver.php | |
declare(strict_types=1); | |
namespace App\SectionResolver; | |
use Sylius\Bundle\CoreBundle\SectionResolver\SectionInterface; | |
use Sylius\Bundle\CoreBundle\SectionResolver\UriBasedSectionResolverInterface; | |
use Sylius\Bundle\ShopBundle\SectionResolver\ShopSection; | |
final class ShopUriBasedSectionResolver implements UriBasedSectionResolverInterface | |
{ | |
/** @var string */ | |
private $shopCustomerAccountUri; | |
public function __construct(string $shopCustomerAccountUri = 'account') | |
{ | |
$this->shopCustomerAccountUri = $shopCustomerAccountUri; | |
} | |
public function getSection(string $uri): SectionInterface | |
{ | |
if (str_contains($uri, $this->shopCustomerAccountUri)) { | |
return new ShopCustomerAccountSubSection(); | |
} | |
return new ShopSection(); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment