Symfony
a SensioLabs product
DOWNLOAD NOW

Archives

Master Symfony2 fundamentals

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).
trainings.sensiolabs.com

Symfony hosting done right

ServerGrove, outstanding support at the right price for your Symfony hosting needs.
servergrove.com

Discover the SensioLabs Support

Access to the SensioLabs Competency Center for an exclusive and tailor-made support on Symfony
sensiolabs.com
Home » Blog » Security: Access Control Documentation Issue
RSS comments
RSS posts
Twitter twitter

Blog

DOCUMENTATION

Fabien Potencier
Security: Access Control Documentation Issue
by Fabien Potencier – January 10, 2013 – 3 comments

Please, read this post carefully as your application may be vulnerable if you are using access control rules to secure some paths or ESI/Hincludes via the _internal routes.

We have recently discovered that the documentation for access control rules was incorrect. Thanks to Victor Berchet for reporting this issue.

This is a serious problem as these access control rules let you secure some parts of your application; it is even worse as the example in the security.yml file in the Symfony Standard Edition was also incorrect.

To make a long story short, using the ip setting in an access rule does not restrict the path to be accessible only for the given IP address:

1
2
access_control:
    - { path: ^/_internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: 127.0.0.1 }

The above rule does not restrict access to localhost (127.0.0.1) for requests whose path start with /_internal. If you want paths starting with /_internal to be only accessible from localhost, use the following configuration instead:

1
2
3
access_control:
    - { path: ^/_internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: 127.0.0.1 }
    - { path: ^/_internal, roles: ROLE_NO_ACCESS }

If you want to learn more about how access control rules work, read the updated documentation, or have a look at the patch we have just pushed. The example in the Symfony Standard Edition has also been updated accordingly.

The documentation update is only the first step towards the resolution of this issue as the way access control rules can be configured is very confusing. We are working on improving access control rules configuration for Symfony 2.3.

Add a Comment

Connect to post a comment

Comments RSS

  • Bernhard Schussek
    #1 Bernhard Schussek said on the 2013/01/11 at 00:28
    Great! Should this be added to the "Security Advisories"?
  • Victor Berchet
    #2 Victor Berchet said on the 2013/01/11 at 09:15
    I probably should not be the one to get credits for this, the issue has been reported before (sorry, can't remember by who and how).

    I agree with Bernhard that this should be listed in the "Security Advisories" at symfony.com/security.
  • Victor Berchet
    #3 Victor Berchet said on the 2013/01/11 at 09:18
    I would also like to thank Ryan for the detailed documentation: http://symfony.com/doc/2.0/book/security.html#securing-specific-url-patterns

NEWS FROM THE BLOG

Visit Symfony's blog

IN THE NEWS

Announcing the next Symfony Live Conference 2013 in Portland

UPCOMING TRAINING SESSIONS

View all sessions

sf - Symfony is a trademark of Fabien Potencier. All rights reserved.

What is Symfony?

Get Started

Learn Symfony

Marketplace

Community

Services

Blog

About