Moderate severityNVD Advisory· Published Jul 15, 2020· Updated Aug 5, 2024
CVE-2019-19326
CVE-2019-19326
Description
Silverstripe CMS sites through 4.4.4 which have opted into HTTP Cache Headers on responses served by the framework's HTTP layer can be vulnerable to web cache poisoning. Through modifying the X-Original-Url and X-HTTP-Method-Override headers, responses with malicious HTTP headers can return unexpected responses to other consumers of this cached response. Most other headers associated with web cache poisoning are already disabled through request hostname forgery whitelists.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Silverstripe CMS through 4.4.4 with HTTP cache headers enabled is vulnerable to web cache poisoning via crafted X-Original-Url and X-HTTP-Method-Override headers.
Vulnerability
Description
Silverstripe CMS sites that have opted into HTTP Cache Headers on responses served by the framework's HTTP layer are vulnerable to web cache poisoning [1]. By modifying the X-Original-Url and X-HTTP-Method-Override headers, an attacker can cause the framework to produce unexpected responses that are then cached and served to other users [1].
Exploitation
An attacker can send a request with manipulated X-Original-Url or X-HTTP-Method-Override headers to a publicly cached endpoint. If the cache accepts and stores the response, subsequent users requesting the same resource may receive the poisoned response instead of the legitimate one [1]. The attack requires the site to have HTTP cache headers enabled and does not need authentication for the cache layer [1].
Impact
Successful cache poisoning can lead to the delivery of malicious content to unsuspecting users. For example, an attacker could inject XSS payloads or other harmful content into cached pages, affecting all visitors until the cache is purged [1].
Mitigation
Silverstripe has patched this vulnerability in later releases. The fix involves stopping the framework from honoring the X-HTTP-Method-Override and related headers [2][3][4]. Administrators should update to a patched version or disable HTTP cache headers if not required [1].
References
- NVD - CVE-2019-19326
- [CVE-2019-19326] Stop honouring X-HTTP-Method-Override header, X-Orig… · silverstripe/silverstripe-framework@98926e4
- [CVE-2019-19326] Stop honouring X-HTTP-Method-Override header, X-Orig… · silverstripe/silverstripe-framework@8518987
- [CVE-2019-19326] Stop honouring X-HTTP-Method-Override header, X-Orig… · silverstripe/silverstripe-framework@107706c
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/frameworkPackagist | >= 4.0.0, < 4.4.7 | 4.4.7 |
silverstripe/frameworkPackagist | >= 4.5.0, < 4.5.4 | 4.5.4 |
silverstripe/frameworkPackagist | >= 3.0.0, < 3.7.5 | 3.7.5 |
Affected products
2- Silverstripe/CMSdescription
Patches
38518987cbd1e[CVE-2019-19326] Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod()
3 files changed · +107 −49
src/Control/HTTPRequestBuilder.php+0 −10 modified@@ -135,16 +135,6 @@ public static function extractRequestHeaders(array $server) */ public static function cleanEnvironment(array $variables) { - // IIS will sometimes generate this. - if (!empty($variables['_SERVER']['HTTP_X_ORIGINAL_URL'])) { - $variables['_SERVER']['REQUEST_URI'] = $variables['_SERVER']['HTTP_X_ORIGINAL_URL']; - } - - // Override REQUEST_METHOD - if (isset($variables['_SERVER']['X-HTTP-Method-Override'])) { - $variables['_SERVER']['REQUEST_METHOD'] = $variables['_SERVER']['X-HTTP-Method-Override']; - } - // Merge $_FILES into $_POST $variables['_POST'] = array_merge((array)$variables['_POST'], (array)$variables['_FILES']);
src/Control/HTTPRequest.php+30 −15 modified@@ -18,9 +18,6 @@ * The intention is that a single HTTPRequest object can be passed from one object to another, each object calling * match() to get the information that they need out of the URL. This is generally handled by * {@link RequestHandler::handleRequest()}. - * - * @todo Accept X_HTTP_METHOD_OVERRIDE http header and $_REQUEST['_method'] to override request types (useful for - * webclients not supporting PUT and DELETE) */ class HTTPRequest implements ArrayAccess { @@ -156,7 +153,7 @@ class HTTPRequest implements ArrayAccess */ public function __construct($httpMethod, $url, $getVars = array(), $postVars = array(), $body = null) { - $this->httpMethod = strtoupper(self::detect_method($httpMethod, $postVars)); + $this->httpMethod = strtoupper($httpMethod); $this->setUrl($url); $this->getVars = (array) $getVars; $this->postVars = (array) $postVars; @@ -830,6 +827,21 @@ public function httpMethod() return $this->httpMethod; } + /** + * Explicitly set the HTTP method for this request. + * @param string $method + * @return $this + */ + public function setHttpMethod($method) + { + if (!self::isValidHttpMethod($method)) { + user_error('HTTPRequest::setHttpMethod: Invalid HTTP method', E_USER_ERROR); + } + + $this->httpMethod = strtoupper($method); + return $this; + } + /** * Return the URL scheme (e.g. "http" or "https"). * Equivalent to PSR-7 getUri()->getScheme() @@ -855,25 +867,28 @@ public function setScheme($scheme) } /** - * Gets the "real" HTTP method for a request. - * - * Used to work around browser limitations of form - * submissions to GET and POST, by overriding the HTTP method - * with a POST parameter called "_method" for PUT, DELETE, HEAD. - * Using GET for the "_method" override is not supported, - * as GET should never carry out state changes. - * Alternatively you can use a custom HTTP header 'X-HTTP-Method-Override' - * to override the original method. - * The '_method' POST parameter overrules the custom HTTP header. + * @param string $method + * @return bool + */ + private static function isValidHttpMethod($method) + { + return in_array(strtoupper($method), ['GET','POST','PUT','DELETE','HEAD']); + } + + /** + * Gets the "real" HTTP method for a request. This method is no longer used to mitigate the risk of web cache + * poisoning. * + * @see https://www.silverstripe.org/download/security-releases/CVE-2019-19326 * @param string $origMethod Original HTTP method from the browser request * @param array $postVars * @return string HTTP method (all uppercase) + * @deprecated 4.4.7 */ public static function detect_method($origMethod, $postVars) { if (isset($postVars['_method'])) { - if (!in_array(strtoupper($postVars['_method']), array('GET','POST','PUT','DELETE','HEAD'))) { + if (!self::isValidHttpMethod($postVars['_method'])) { user_error('HTTPRequest::detect_method(): Invalid "_method" parameter', E_USER_ERROR); } return strtoupper($postVars['_method']);
tests/php/Control/HTTPRequestTest.php+77 −24 modified@@ -61,9 +61,15 @@ public function testHttpMethodOverrides() array(), array('_method' => 'DELETE') ); + $this->assertTrue( + $request->isPOST(), + '_method override is no longer honored' + ); + + $this->assertFalse( $request->isDELETE(), - 'POST with valid method override to DELETE' + 'DELETE _method override is not honored' ); $request = new HTTPRequest( @@ -72,9 +78,9 @@ public function testHttpMethodOverrides() array(), array('_method' => 'put') ); - $this->assertTrue( + $this->assertFalse( $request->isPUT(), - 'POST with valid method override to PUT' + 'PUT _method override is not honored' ); $request = new HTTPRequest( @@ -83,31 +89,78 @@ public function testHttpMethodOverrides() array(), array('_method' => 'head') ); - $this->assertTrue( + $this->assertFalse( $request->isHEAD(), - 'POST with valid method override to HEAD ' + 'HEAD _method override is not honored' ); + } - $request = new HTTPRequest( - 'POST', - 'admin/crm', - array(), - array('_method' => 'head') - ); - $this->assertTrue( - $request->isHEAD(), - 'POST with valid method override to HEAD' - ); + public function detectMethodDataProvider() + { + return [ + 'Plain POST request' => ['POST', [], 'POST'], + 'Plain GET request' => ['GET', [], 'GET'], + 'Plain DELETE request' => ['DELETE', [], 'DELETE'], + 'Plain PUT request' => ['PUT', [], 'PUT'], + 'Plain HEAD request' => ['HEAD', [], 'HEAD'], - $request = new HTTPRequest( - 'POST', - 'admin/crm', - array('_method' => 'head') - ); - $this->assertTrue( - $request->isPOST(), - 'POST with invalid method override by GET parameters to HEAD' - ); + 'Request with GET method override' => ['POST', ['_method' => 'GET'], 'GET'], + 'Request with HEAD method override' => ['POST', ['_method' => 'HEAD'], 'HEAD'], + 'Request with DELETE method override' => ['POST', ['_method' => 'DELETE'], 'DELETE'], + 'Request with PUT method override' => ['POST', ['_method' => 'PUT'], 'PUT'], + 'Request with POST method override' => ['POST', ['_method' => 'POST'], 'POST'], + + 'Request with mixed case method override' => ['POST', ['_method' => 'gEt'], 'GET'] + ]; + } + + /** + * @dataProvider detectMethodDataProvider + */ + public function testDetectMethod($realMethod, $post, $expected) + { + $actual = HTTPRequest::detect_method($realMethod, $post); + $this->assertEquals($expected, $actual); + } + + /** + * @expectedException PHPUnit_Framework_Error + */ + public function testBadDetectMethod() + { + HTTPRequest::detect_method('POST', ['_method' => 'Boom']); + } + + public function setHttpMethodDataProvider() + { + return [ + 'POST request' => ['POST','POST'], + 'GET request' => ['GET', 'GET'], + 'DELETE request' => ['DELETE', 'DELETE'], + 'PUT request' => ['PUT', 'PUT'], + 'HEAD request' => ['HEAD', 'HEAD'], + 'Mixed case POST' => ['gEt', 'GET'], + ]; + } + + /** + * @dataProvider setHttpMethodDataProvider + */ + public function testSetHttpMethod($method, $expected) + { + $request = new HTTPRequest('GET', '/hello'); + $returnedRequest = $request->setHttpMethod($method); + $this->assertEquals($expected, $request->httpMethod()); + $this->assertEquals($request, $returnedRequest); + } + + /** + * @expectedException PHPUnit_Framework_Error + */ + public function testBadSetHttpMethod() + { + $request = new HTTPRequest('GET', '/hello'); + $request->setHttpMethod('boom'); } public function testRequestVars()
107706c12cd9[CVE-2019-19326] Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod()
3 files changed · +107 −49
src/Control/HTTPRequestBuilder.php+0 −10 modified@@ -135,16 +135,6 @@ public static function extractRequestHeaders(array $server) */ public static function cleanEnvironment(array $variables) { - // IIS will sometimes generate this. - if (!empty($variables['_SERVER']['HTTP_X_ORIGINAL_URL'])) { - $variables['_SERVER']['REQUEST_URI'] = $variables['_SERVER']['HTTP_X_ORIGINAL_URL']; - } - - // Override REQUEST_METHOD - if (isset($variables['_SERVER']['X-HTTP-Method-Override'])) { - $variables['_SERVER']['REQUEST_METHOD'] = $variables['_SERVER']['X-HTTP-Method-Override']; - } - // Merge $_FILES into $_POST $variables['_POST'] = array_merge((array)$variables['_POST'], (array)$variables['_FILES']);
src/Control/HTTPRequest.php+30 −15 modified@@ -18,9 +18,6 @@ * The intention is that a single HTTPRequest object can be passed from one object to another, each object calling * match() to get the information that they need out of the URL. This is generally handled by * {@link RequestHandler::handleRequest()}. - * - * @todo Accept X_HTTP_METHOD_OVERRIDE http header and $_REQUEST['_method'] to override request types (useful for - * webclients not supporting PUT and DELETE) */ class HTTPRequest implements ArrayAccess { @@ -156,7 +153,7 @@ class HTTPRequest implements ArrayAccess */ public function __construct($httpMethod, $url, $getVars = array(), $postVars = array(), $body = null) { - $this->httpMethod = strtoupper(self::detect_method($httpMethod, $postVars)); + $this->httpMethod = strtoupper($httpMethod); $this->setUrl($url); $this->getVars = (array) $getVars; $this->postVars = (array) $postVars; @@ -830,6 +827,21 @@ public function httpMethod() return $this->httpMethod; } + /** + * Explicitly set the HTTP method for this request. + * @param string $method + * @return $this + */ + public function setHttpMethod($method) + { + if (!self::isValidHttpMethod($method)) { + user_error('HTTPRequest::setHttpMethod: Invalid HTTP method', E_USER_ERROR); + } + + $this->httpMethod = strtoupper($method); + return $this; + } + /** * Return the URL scheme (e.g. "http" or "https"). * Equivalent to PSR-7 getUri()->getScheme() @@ -855,25 +867,28 @@ public function setScheme($scheme) } /** - * Gets the "real" HTTP method for a request. - * - * Used to work around browser limitations of form - * submissions to GET and POST, by overriding the HTTP method - * with a POST parameter called "_method" for PUT, DELETE, HEAD. - * Using GET for the "_method" override is not supported, - * as GET should never carry out state changes. - * Alternatively you can use a custom HTTP header 'X-HTTP-Method-Override' - * to override the original method. - * The '_method' POST parameter overrules the custom HTTP header. + * @param string $method + * @return bool + */ + private static function isValidHttpMethod($method) + { + return in_array(strtoupper($method), ['GET','POST','PUT','DELETE','HEAD']); + } + + /** + * Gets the "real" HTTP method for a request. This method is no longer used to mitigate the risk of web cache + * poisoning. * + * @see https://www.silverstripe.org/download/security-releases/CVE-2019-19326 * @param string $origMethod Original HTTP method from the browser request * @param array $postVars * @return string HTTP method (all uppercase) + * @deprecated 4.4.7 */ public static function detect_method($origMethod, $postVars) { if (isset($postVars['_method'])) { - if (!in_array(strtoupper($postVars['_method']), array('GET','POST','PUT','DELETE','HEAD'))) { + if (!self::isValidHttpMethod($postVars['_method'])) { user_error('HTTPRequest::detect_method(): Invalid "_method" parameter', E_USER_ERROR); } return strtoupper($postVars['_method']);
tests/php/Control/HTTPRequestTest.php+77 −24 modified@@ -60,9 +60,15 @@ public function testHttpMethodOverrides() array(), array('_method' => 'DELETE') ); + $this->assertTrue( + $request->isPOST(), + '_method override is no longer honored' + ); + + $this->assertFalse( $request->isDELETE(), - 'POST with valid method override to DELETE' + 'DELETE _method override is not honored' ); $request = new HTTPRequest( @@ -71,9 +77,9 @@ public function testHttpMethodOverrides() array(), array('_method' => 'put') ); - $this->assertTrue( + $this->assertFalse( $request->isPUT(), - 'POST with valid method override to PUT' + 'PUT _method override is not honored' ); $request = new HTTPRequest( @@ -82,31 +88,78 @@ public function testHttpMethodOverrides() array(), array('_method' => 'head') ); - $this->assertTrue( + $this->assertFalse( $request->isHEAD(), - 'POST with valid method override to HEAD ' + 'HEAD _method override is not honored' ); + } - $request = new HTTPRequest( - 'POST', - 'admin/crm', - array(), - array('_method' => 'head') - ); - $this->assertTrue( - $request->isHEAD(), - 'POST with valid method override to HEAD' - ); + public function detectMethodDataProvider() + { + return [ + 'Plain POST request' => ['POST', [], 'POST'], + 'Plain GET request' => ['GET', [], 'GET'], + 'Plain DELETE request' => ['DELETE', [], 'DELETE'], + 'Plain PUT request' => ['PUT', [], 'PUT'], + 'Plain HEAD request' => ['HEAD', [], 'HEAD'], - $request = new HTTPRequest( - 'POST', - 'admin/crm', - array('_method' => 'head') - ); - $this->assertTrue( - $request->isPOST(), - 'POST with invalid method override by GET parameters to HEAD' - ); + 'Request with GET method override' => ['POST', ['_method' => 'GET'], 'GET'], + 'Request with HEAD method override' => ['POST', ['_method' => 'HEAD'], 'HEAD'], + 'Request with DELETE method override' => ['POST', ['_method' => 'DELETE'], 'DELETE'], + 'Request with PUT method override' => ['POST', ['_method' => 'PUT'], 'PUT'], + 'Request with POST method override' => ['POST', ['_method' => 'POST'], 'POST'], + + 'Request with mixed case method override' => ['POST', ['_method' => 'gEt'], 'GET'] + ]; + } + + /** + * @dataProvider detectMethodDataProvider + */ + public function testDetectMethod($realMethod, $post, $expected) + { + $actual = HTTPRequest::detect_method($realMethod, $post); + $this->assertEquals($expected, $actual); + } + + /** + * @expectedException PHPUnit_Framework_Error + */ + public function testBadDetectMethod() + { + HTTPRequest::detect_method('POST', ['_method' => 'Boom']); + } + + public function setHttpMethodDataProvider() + { + return [ + 'POST request' => ['POST','POST'], + 'GET request' => ['GET', 'GET'], + 'DELETE request' => ['DELETE', 'DELETE'], + 'PUT request' => ['PUT', 'PUT'], + 'HEAD request' => ['HEAD', 'HEAD'], + 'Mixed case POST' => ['gEt', 'GET'], + ]; + } + + /** + * @dataProvider setHttpMethodDataProvider + */ + public function testSetHttpMethod($method, $expected) + { + $request = new HTTPRequest('GET', '/hello'); + $returnedRequest = $request->setHttpMethod($method); + $this->assertEquals($expected, $request->httpMethod()); + $this->assertEquals($request, $returnedRequest); + } + + /** + * @expectedException PHPUnit_Framework_Error + */ + public function testBadSetHttpMethod() + { + $request = new HTTPRequest('GET', '/hello'); + $request->setHttpMethod('boom'); } public function testRequestVars()
98926e4e6c26[CVE-2019-19326] Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod().
5 files changed · +110 −46
control/Director.php+1 −3 modified@@ -117,9 +117,7 @@ public static function direct($url, DataModel $model) { } $req = new SS_HTTPRequest( - (isset($_SERVER['X-HTTP-Method-Override'])) - ? $_SERVER['X-HTTP-Method-Override'] - : $_SERVER['REQUEST_METHOD'], + $_SERVER['REQUEST_METHOD'], $url, $_GET, ArrayLib::array_merge_recursive((array) $_POST, (array) $_FILES),
control/HTTPRequest.php+28 −15 modified@@ -11,9 +11,6 @@ * match() to get the information that they need out of the URL. This is generally handled by * {@link RequestHandler::handleRequest()}. * - * @todo Accept X_HTTP_METHOD_OVERRIDE http header and $_REQUEST['_method'] to override request types (useful for - * webclients not supporting PUT and DELETE) - * * @package framework * @subpackage control */ @@ -106,7 +103,7 @@ class SS_HTTPRequest implements ArrayAccess { * Construct a SS_HTTPRequest from a URL relative to the site root. */ public function __construct($httpMethod, $url, $getVars = array(), $postVars = array(), $body = null) { - $this->httpMethod = strtoupper(self::detect_method($httpMethod, $postVars)); + $this->httpMethod = strtoupper($httpMethod); $this->setUrl($url); $this->getVars = (array) $getVars; @@ -726,24 +723,40 @@ public function httpMethod() { } /** - * Gets the "real" HTTP method for a request. - * - * Used to work around browser limitations of form - * submissions to GET and POST, by overriding the HTTP method - * with a POST parameter called "_method" for PUT, DELETE, HEAD. - * Using GET for the "_method" override is not supported, - * as GET should never carry out state changes. - * Alternatively you can use a custom HTTP header 'X-HTTP-Method-Override' - * to override the original method in {@link Director::direct()}. - * The '_method' POST parameter overrules the custom HTTP header. + * Explicitly set the HTTP method for this request. + * @param string $method + * @return $this + */ + public function setHttpMethod($method) { + if(!self::isValidHttpMethod($method)) { + user_error('SS_HTTPRequest::setHttpMethod: Invalid HTTP method', E_USER_ERROR); + } + + $this->httpMethod = strtoupper($method); + return $this; + } + + /** + * @param string $method + * @return bool + */ + private static function isValidHttpMethod($method) { + return in_array(strtoupper($method), array('GET','POST','PUT','DELETE','HEAD')); + } + + /** + * Gets the "real" HTTP method for a request. This method is no longer used to mitigate the risk of web cache + * poisoning. * + * @see https://www.silverstripe.org/download/security-releases/CVE-2019-19326 * @param string $origMethod Original HTTP method from the browser request * @param array $postVars * @return string HTTP method (all uppercase) + * @deprecated 3.7.5 */ public static function detect_method($origMethod, $postVars) { if(isset($postVars['_method'])) { - if(!in_array(strtoupper($postVars['_method']), array('GET','POST','PUT','DELETE','HEAD'))) { + if (!self::isValidHttpMethod($postVars['_method'])) { user_error('Director::direct(): Invalid "_method" parameter', E_USER_ERROR); } return strtoupper($postVars['_method']);
main.php+0 −5 modified@@ -60,11 +60,6 @@ // we handle our own cache headers in this application session_cache_limiter(''); -// IIS will sometimes generate this. -if(!empty($_SERVER['HTTP_X_ORIGINAL_URL'])) { - $_SERVER['REQUEST_URI'] = $_SERVER['HTTP_X_ORIGINAL_URL']; -} - // Enable the entity loader to be able to load XML in Zend_Locale_Data libxml_disable_entity_loader(false);
tests/control/HTTPRequestTest.php+80 −17 modified@@ -51,8 +51,12 @@ public function testHttpMethodOverrides() { array('_method' => 'DELETE') ); $this->assertTrue( + $request->isPOST(), + '_method override is no longer honored.' + ); + $this->assertFalse( $request->isDELETE(), - 'POST with valid method override to DELETE' + 'DELETE _method override is not honored.' ); $request = new SS_HTTPRequest( @@ -61,9 +65,9 @@ public function testHttpMethodOverrides() { array(), array('_method' => 'put') ); - $this->assertTrue( + $this->assertFalse( $request->isPUT(), - 'POST with valid method override to PUT' + 'PUT _method override is not honored.' ); $request = new SS_HTTPRequest( @@ -72,33 +76,92 @@ public function testHttpMethodOverrides() { array(), array('_method' => 'head') ); - $this->assertTrue( + $this->assertFalse( $request->isHEAD(), - 'POST with valid method override to HEAD ' + 'HEAD _method override is not honored.' ); $request = new SS_HTTPRequest( 'POST', 'admin/crm', - array(), - array('_method' => 'head') + array('_method' => 'delete') ); - $this->assertTrue( - $request->isHEAD(), - 'POST with valid method override to HEAD' + $this->assertFalse( + $request->isDELETE(), + 'DELETE _method override is not honored.' ); + } - $request = new SS_HTTPRequest( - 'POST', - 'admin/crm', - array('_method' => 'head') + public function detectMethodDataProvider() + { + return array( + 'Plain POST request' => array('POST', array(), 'POST'), + 'Plain GET request' => array('GET', array(), 'GET'), + 'Plain DELETE request' => array('DELETE', array(), 'DELETE'), + 'Plain PUT request' => array('PUT', array(), 'PUT'), + 'Plain HEAD request' => array('HEAD', array(), 'HEAD'), + + 'Request with GET method override' => array('POST', array('_method' => 'GET'), 'GET'), + 'Request with HEAD method override' => array('POST', array('_method' => 'HEAD'), 'HEAD'), + 'Request with DELETE method override' => array('POST', array('_method' => 'DELETE'), 'DELETE'), + 'Request with PUT method override' => array('POST', array('_method' => 'PUT'), 'PUT'), + 'Request with POST method override' => array('POST', array('_method' => 'POST'), 'POST'), + + 'Request with mixed case method override' => array('POST', array('_method' => 'gEt'), 'GET'), ); - $this->assertTrue( - $request->isPOST(), - 'POST with invalid method override by GET parameters to HEAD' + } + + + /** + * @dataProvider detectMethodDataProvider + */ + public function testDetectMethod($realMethod, $post, $expected) + { + $actual = SS_HTTPRequest::detect_method($realMethod, $post); + $this->assertEquals($expected, $actual); + } + + + /** + * @expectedException PHPUnit_Framework_Error + */ + public function testBadDetectMethod() + { + SS_HTTPRequest::detect_method('POST', array('_method' => 'Boom')); + } + + public function setHttpMethodDataProvider() + { + return array( + 'POST request' => array('POST','POST'), + 'GET request' => array('GET', 'GET'), + 'DELETE request' => array('DELETE', 'DELETE'), + 'PUT request' => array('PUT', 'PUT'), + 'HEAD request' => array('HEAD', 'HEAD'), + 'Mixed case POST' => array('gEt', 'GET'), ); } + /** + * @dataProvider setHttpMethodDataProvider + */ + public function testSetHttpMethod($method, $expected) + { + $request = new SS_HTTPRequest('GET', '/hello'); + $returnedRequest = $request->setHttpMethod($method); + $this->assertEquals($expected, $request->httpMethod()); + $this->assertEquals($request, $returnedRequest); + } + + /** + * @expectedException PHPUnit_Framework_Error + */ + public function testBadSetHttpMethod() + { + $request = new SS_HTTPRequest('GET', '/hello'); + $request->setHttpMethod('boom'); + } + public function testRequestVars() { $getVars = array( 'first' => 'a',
tests/FakeController.php+1 −6 modified@@ -10,12 +10,7 @@ public function __construct() { $this->pushCurrent(); - $request = new SS_HTTPRequest( - (isset($_SERVER['X-HTTP-Method-Override'])) - ? $_SERVER['X-HTTP-Method-Override'] - : $_SERVER['REQUEST_METHOD'], - '/' - ); + $request = new SS_HTTPRequest($_SERVER['REQUEST_METHOD'], '/'); $this->setRequest($request); $this->setResponse(new SS_HTTPResponse());
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-q9ff-3q93-fm8mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-19326ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-19326.yamlghsaWEB
- github.com/silverstripe/silverstripe-framework/commit/107706c12cd9cf4d1b8b96b6a6e223633209d851ghsaWEB
- github.com/silverstripe/silverstripe-framework/commit/8518987cbd1eaca71b65dd4a4b35591db941509aghsaWEB
- github.com/silverstripe/silverstripe-framework/commit/98926e4e6c26d1d43bb1faf516d15bdb2739556eghsaWEB
- www.silverstripe.org/download/security-releases/CVE-2019-19326ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.