Problem/Motivation

SA-CONTRIB-2013-042 - RESTful Web Services (RESTWS) - Denial of Service is also present in Drupal 8 core.

Since Drupal's page cache uses only the URL as a cache ID (not the HTTP Accept header), cached JSON responses can get accidentally served to HTML clients and vice-versa.

This enables a denial-of-service attack where an attacker could populate the target's cache with JSON responses, essentially transforming the site into jibberish for the majority of visitors.

Steps to reproduce:

  • Install Drupal 8 core
  • create a node
  • Enable "Use internal page cache" (admin/config/development/performance), set minimum age >= 1 minute
  • Run curl -H'Accept:application/json' http://example.com/node/1
  • Visit http://example.com/node/1 in your browser as an anonymous user

Expected result: The browser should show the normal HTML page.
Actual result: The cached JSON output is sent.

rest_cache.png

Proposed resolution

Possible solutions are proposed in these related issues:
#1303010: Page cache only uses URL as cache ID, not HTTP Accept headers or language
#1597696: Consider whether HttpCache offers any significant benefit over the existing page cache

This issue is to track the advisory follow-up specifically, as well as any changes needed to ViewSubscriber should the above solution(s) get implemented.

Remaining tasks

Patch needed.

User interface changes

N/A

API changes

???

CommentFileSizeAuthor
rest_cache.png131.25 KBgrendzy
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
CreditAttribution: klausi commented
Component: rest.module » base system

This has nothing to do with REST module, something else is generating the JSON.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
CreditAttribution: klausi commented
Title: RESTful Web Services - Denial of Service (SA-CONTRIB-2013-042) » ViewSubscriber with page caching - Denial of Service (SA-CONTRIB-2013-042)

Found it: core/lib/Drupal/Core/EventSubscriber/ViewSubscriber.php can output the render array in HTML and in JSON it seems, which is incompatible with the current page cache system.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
CreditAttribution: klausi commented
Issue summary: View changes

removed REST module, not needed for this

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented

Also #1855260: Page caching broken by accept header-based routing.

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Status: Active » Closed (duplicate)

This is a duplicate of #1855260: Page caching broken by accept header-based routing.

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Issue summary: View changes

add symfony HttpCache issue