colin
/
bookstack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Forced response cache revalidation on logged-in responses 

- Prevents authenticated responses being visible when back button
  pressed in browser.
- Previously, 'no-cache, private' was added by default by Symfony which
  would have prevents proxy cache issues but this adds no-store and a
  max-age option to also invalidate all caching.

Thanks to @haxatron via huntr.dev
Ref: https://huntr.dev/bounties/6cda9df9-4987-4e1c-b48f-855b6901ef53/
This commit is contained in:
Dan Brown 2021-10-08 15:22:09 +01:00
parent 55be75dee2
commit 41ac69adb1
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
3 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/Http/Kernel.php
View File

@ -2,6 +2,7 @@
namespace BookStack\Http; namespace BookStack\Http;
use BookStack\Http\Middleware\PreventAuthenticatedResponseCaching;
use Illuminate\Foundation\Http\Kernel as HttpKernel; use Illuminate\Foundation\Http\Kernel as HttpKernel;
class Kernel extends HttpKernel class Kernel extends HttpKernel
@ -30,6 +31,7 @@ class Kernel extends HttpKernel
\Illuminate\Session\Middleware\StartSession::class, \Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class, \Illuminate\View\Middleware\ShareErrorsFromSession::class,
\BookStack\Http\Middleware\VerifyCsrfToken::class, \BookStack\Http\Middleware\VerifyCsrfToken::class,
\BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
\BookStack\Http\Middleware\CheckEmailConfirmed::class, \BookStack\Http\Middleware\CheckEmailConfirmed::class,
\BookStack\Http\Middleware\RunThemeActions::class, \BookStack\Http\Middleware\RunThemeActions::class,
\BookStack\Http\Middleware\Localization::class, \BookStack\Http\Middleware\Localization::class,
@ -39,6 +41,7 @@ class Kernel extends HttpKernel
\BookStack\Http\Middleware\EncryptCookies::class, \BookStack\Http\Middleware\EncryptCookies::class,
\BookStack\Http\Middleware\StartSessionIfCookieExists::class, \BookStack\Http\Middleware\StartSessionIfCookieExists::class,
\BookStack\Http\Middleware\ApiAuthenticate::class, \BookStack\Http\Middleware\ApiAuthenticate::class,
\BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
\BookStack\Http\Middleware\CheckEmailConfirmed::class, \BookStack\Http\Middleware\CheckEmailConfirmed::class,
], ],
]; ];

30
app/Http/Middleware/PreventAuthenticatedResponseCaching.php Normal file
View File

@ -0,0 +1,30 @@
<?php
namespace BookStack\Http\Middleware;
use Closure;
use Symfony\Component\HttpFoundation\Response;
class PreventAuthenticatedResponseCaching
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
/** @var Response $response */
$response = $next($request);
if (signedInUser()) {
$response->headers->set('Cache-Control', 'max-age=0, no-store, private');
$response->headers->set('Pragma', 'no-cache');
$response->headers->set('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
}
return $response;
}
}

9
tests/SecurityHeaderTest.php
View File

@ -119,6 +119,15 @@ class SecurityHeaderTest extends TestCase
$this->assertEquals('base-uri \'self\'', $scriptHeader); $this->assertEquals('base-uri \'self\'', $scriptHeader);
} }
public function test_cache_control_headers_are_strict_on_responses_when_logged_in()
{
$this->asEditor();
$resp = $this->get('/');
$resp->assertHeader('Cache-Control', 'max-age=0, no-store, private');
$resp->assertHeader('Pragma', 'no-cache');
$resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
}
/** /**
* Get the value of the first CSP header of the given type. * Get the value of the first CSP header of the given type.
*/ */