Problem/Motivation
SA-CONTRIB-2013-042 - RESTful Web Services (RESTWS) - Denial of Service is also present in Drupal 8 core.
Since Drupal's page cache uses only the URL as a cache ID (not the HTTP Accept header), cached JSON responses can get accidentally served to HTML clients and vice-versa.
This enables a denial-of-service attack where an attacker could populate the target's cache with JSON responses, essentially transforming the site into jibberish for the majority of visitors.
Steps to reproduce:
- Install Drupal 8 core
- create a node
- Enable "Use internal page cache" (
admin/config/development/performance), set minimum age >= 1 minute - Run
curl -H'Accept:application/json' http://example.com/node/1 - Visit http://example.com/node/1 in your browser as an anonymous user
Expected result: The browser should show the normal HTML page.
Actual result: The cached JSON output is sent.
Proposed resolution
Possible solutions are proposed in these related issues:
#1303010: Page cache only uses URL as cache ID, not HTTP Accept headers or language
#1597696: Switch page caching to HttpCache
This issue is to track the advisory follow-up specifically, as well as any changes needed to ViewSubscriber should the above solution(s) get implemented.
Remaining tasks
Patch needed.
User interface changes
N/A
API changes
???
| Attachment | Size | Status | Test result | Operations |
|---|---|---|---|---|
| rest_cache.png | 131.25 KB | Ignored: Check issue status. | None | None |