FOSRestBundle security issue with JSONP handler

January 22, 2014 · Published by Avatar of Lukas Kahwe Smith Lukas Kahwe Smith

Starting with FOSRestBundle 1.2 we switched to using willdurand/jsonp-callback-validator for validation of JSONP callbacks. However the change was implemented incorrectly validating the callback query param name, rather than its value. Anyone using the JSONP handler (which is off by default) together with FOSRestBundle 1.2.0 or 1.2.1 should update to FOSRestBundle 1.2.2.

Published in #Community

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Patrik Karisch
Patrik Karisch said on Jan 22, 2014
Thanks for the quick fix.
Avatar of Christophe Coevoet
Christophe Coevoet said on Jan 22, 2014
Please send a PR to https://github.com/sensiolabs/security-advisories to add it in the security checker

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.