Archives


Master Symfony2 fundamentals

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).
trainings.sensiolabs.com

Discover the SensioLabs Support

Access to the SensioLabs Competency Center for an exclusive and tailor-made support on Symfony
sensiolabs.com

Lukas Kahwe Smith
FOSRestBundle security issue with JSONP handler
by Lukas Kahwe Smith – January 22, 2014 – 2 comments

Starting with FOSRestBundle 1.2 we switched to using willdurand/jsonp-callback-validator for validation of JSONP callbacks. However the change was implemented incorrectly validating the callback query param name, rather than its value. Anyone using the JSONP handler (which is off by default) together with FOSRestBundle 1.2.0 or 1.2.1 should update to FOSRestBundle 1.2.2.

Comments RSS

  • Patrik Karisch
    #1 Patrik Karisch said on the 2014/01/22 at 08:04
    Thanks for the quick fix.
  • Christophe Coevoet
    #2 Christophe Coevoet said on the 2014/01/22 at 08:25
    Please send a PR to https://github.com/sensiolabs/security-advisories to add it in the security checker