Security: Access Control Documentation Issue

Please, read this post carefully as your application may be vulnerable if you are using access control rules to secure some paths or ESI/Hincludes via the _internal routes.

We have recently discovered that the documentation for access control rules was incorrect. Thanks to Victor Berchet for reporting this issue.

This is a serious problem as these access control rules let you secure some parts of your application; it is even worse as the example in the security.yml file in the Symfony Standard Edition was also incorrect.

To make a long story short, using the ip setting in an access rule does not restrict the path to be accessible only for the given IP address:

1
2

access_control:
    - { path: ^/_internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: 127.0.0.1 }

The above rule does not restrict access to localhost (127.0.0.1) for requests whose path start with /_internal. If you want paths starting with /_internal to be only accessible from localhost, use the following configuration instead:

1
2
3

access_control:
    - { path: ^/_internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: 127.0.0.1 }
    - { path: ^/_internal, roles: ROLE_NO_ACCESS }

If you want to learn more about how access control rules work, read the updated documentation, or have a look at the patch we have just pushed. The example in the Symfony Standard Edition has also been updated accordingly.

The documentation update is only the first step towards the resolution of this issue as the way access control rules can be configured is very confusing. We are working on improving access control rules configuration for Symfony 2.3.