A SQL injection vulnerability in the Doctrine admin generator was reported earlier today which has been addressed in these 1.2.12, 1.3.3 and 1.4.3 security releases. This vulnerability was limited to the Doctrine admin generator and did not affect the Propel admin generator or any other aspect of symfony's Doctrine integration.

We recommend all projects that use the Doctrine admin generator upgrade to these latest versions immediately.

The vulnerability

The admin generator in sfDoctrinePlugin was not properly filtering the GET request parameter that switches the sort order on record listing pages. By manipulating this parameter in the URL, it was possible to inject arbitrary SQL into the query that populates the list page. We have closed this hole by applying a simple whitelist filter which checks that this parameter is either "asc" or "desc," case-insensitive.

How to report a security issue

It behooves us all to review the process for reporting a security issue to the symfony core team. This process, described on the symfony wiki, is set aside from reporting other issues with the symfony code because security issues require special consideration. If you find a security vulnerability, please do not post to the symfony-users mailing list. Instead, send an email to security [at] symfony-project [dot] com describing the vulnerability and it will quickly be qualified and addressed. Once a fix is released, the vulnerability and fix will be announced on this blog.

How to upgrade

If you've checked out a copy of the a tag from Subversion, switch to the latest.

// symfony 1.2
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_2_12

// symfony 1.3
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_3_3

// symfony 1.4
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_4_3

If you are using the pear package then do this works for you.

// symfony 1.2
$ pear upgrade symfony/symfony-1.2.12

// symfony 1.3
$ pear upgrade symfony/symfony-1.3.3

// symfony 1.4
$ pear upgrade symfony/symfony-1.4.3

Once that's complete, clear your project's cache.

$ php symfony cache:clear

If you'd prefer to download the security fix as a patch, you may do so for the 1.2, 1.3 or 1.4 branches.