#64 | pen01 – The sub-requests system in Symfony

It is harder and harder for me to write down new articles, not due to lack of content but more because of time and because of confidentiality and NDA. Right now I still want to continue the blog but it is clear for me that the reason I launched the blog doesn’t make a lot of sense for me right now, I work a lot, learn a lot and don’t have a lot of free time. Anyway.


Type of sub-requests handled by Symfony

Symfony will generally divide the sub-requests type in 4 types:

  • Internal subrequests: Processed by Symfony directly
  • SSIs (server-side includes): Processed by the web server
  • ESIs (edge-side includes): Processed by a reverse proxy (such as varnish)
  • Hinclude: Processed by a browser

Generally HIncludes will work using js and will do multiple requests back and forth between the client and the user while the other requests are generally a one-round trip.


What’s so interesting about that

Those subrequests could contain vulnerabilities and should be addressed as well, however for some cases, such as the ESI, it is protected by a signature, however there are some vulnerabilities that could allow a bypass of that signature (CVE-2015-4050 or CVE-2014-5245).

I will probably learn a little bit more about symfony or the php internals when I have time.

Until then.

Leave a Reply

Your email address will not be published.