Please, read this post carefully as your application may be vulnerable if
you are using access control rules to secure some paths or ESI/Hincludes via
the _internal routes.
We have recently discovered that the documentation for access control rules was incorrect. Thanks to Victor Berchet for reporting this issue.
This is a serious problem as these access control rules let you secure some
parts of your application; it is even worse as the example in the
security.yml file in the Symfony Standard Edition was also incorrect.
To make a long story short, using the ip setting in an access rule does
not restrict the path to be accessible only for the given IP address:
1 2
access_control:
- { path: ^/_internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: 127.0.0.1 }The above rule does not restrict access to localhost (127.0.0.1) for
requests whose path start with /_internal. If you want paths starting with
/_internal to be only accessible from localhost, use the following
configuration instead:
1 2 3
access_control:
- { path: ^/_internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: 127.0.0.1 }
- { path: ^/_internal, roles: ROLE_NO_ACCESS }If you want to learn more about how access control rules work, read the updated documentation, or have a look at the patch we have just pushed. The example in the Symfony Standard Edition has also been updated accordingly.
The documentation update is only the first step towards the resolution of this issue as the way access control rules can be configured is very confusing. We are working on improving access control rules configuration for Symfony 2.3.
Great! Should this be added to the "Security Advisories"?
I probably should not be the one to get credits for this, the issue has been reported before (sorry, can't remember by who and how).
I agree with Bernhard that this should be listed in the "Security Advisories" at symfony.com/security.
I would also like to thank Ryan for the detailed documentation: http://symfony.com/doc/2.0/book/security.html#securing-specific-url-patterns