It is harder and harder for me to write down new articles, not due to lack of content but more because of time and because of confidentiality and NDA. Right now I still want to continue the blog but it is clear for me that the reason I launched the blog doesn’t make a lot of sense for me right now, I work a lot, learn a lot and don’t have a lot of free time. Anyway.
Type of sub-requests handled by Symfony
Symfony will generally divide the sub-requests type in 4 types:
- Internal subrequests: Processed by Symfony directly
- SSIs (server-side includes): Processed by the web server
- ESIs (edge-side includes): Processed by a reverse proxy (such as varnish)
- Hinclude: Processed by a browser
Generally HIncludes will work using js and will do multiple requests back and forth between the client and the user while the other requests are generally a one-round trip.
What’s so interesting about that
Those subrequests could contain vulnerabilities and should be addressed as well, however for some cases, such as the ESI, it is protected by a signature, however there are some vulnerabilities that could allow a bypass of that signature (CVE-2015-4050 or CVE-2014-5245).
I will probably learn a little bit more about symfony or the php internals when I have time.