In <=2.1
versions, the ESI URL came from importing the internal.xml routing file, which exposed a regular Symfony route that was capable of rendering any controller.
If a normal user had access to this, they could render any controller with any arguments in your system, which is the issue you are currently facing.
In >=2.2
, the internal.xml routing file is gone. You now have a fragments key in config.yml
. Instead of a route, this activates a listener that watches for any requests that start with /_proxy
, which is the URL that the ESI tags now render as.
This alone doesn’t help security, except that the listener uses a few tricks internally.
So what prevents an evil user from exploiting this URL to render any controller in our system with any parameters? Since 2.2
, there are two built in protections: trusted proxies and signed URLs.
The class that handles all this magic is called FragmentListener
. Before it starts serving anything from your application, it first checks to see if the person requesting is “trusted”.
If you’re using a reverse proxy like Varnish, then you’ll want to add its IP address or - CIDR IP address range for the super-geeks - to your config.yml file:
framework
trusted_proxies:
- 192.168.12.0
If the request comes from this IP or range, it allows it. And, if it comes from a local address, it also allows it. In other words, if it’s someone you trust, then it’s ok.