Master Symfony2 fundamentals

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).

Discover the SensioLabs Support

Access to the SensioLabs Competency Center for an exclusive and tailor-made support on Symfony

Security Release: symfony 1.3.6 and 1.4.6
by Kris Wallsmith – June 29, 2010 – 0 comments

New releases for symfony 1.3 and 1.4 have been packaged sooner than expected to address a security vulnerability reported yesterday. It is strongly recommended that all applications running symfony 1.3 and 1.4 upgrade to this latest release immediately.

The Security Fix

One of the enhancements added to symfony 1.3 and 1.4 was the ability to cache rendered templates even when the current URL includes GET parameters (i.e. /feed?page=2). These parameters are used to create a unique cache key, which is then used to generate the directory structure where the cache files are stored.

These incoming parameters were not being properly cleaned, resulting the potential for directory traversal. For example, the response for /feed?page=.. would be stored higher in the cache's directory structure than intended. The extent of the vulnerability depends on how each deployment's file permissions are configured and only applies to applications with the cache setting enabled in settings.yml.

To see the changeset checkout r30031.

How to Upgrade

If you've checked out a copy of the tag from Subversion you can switch to the latest version:

// symfony 1.3
$ svn switch

// symfony 1.4
$ svn switch

If you are using the PEAR package you can update using the pear command:

// symfony 1.3
$ pear upgrade symfony/symfony-1.3.6

// symfony 1.4
$ pear upgrade symfony/symfony-1.4.6

How to Report Security Issues

As we've stated in the past, please report security-related issues to security [at] symfony-project [dot] com rather than posting them directly to Trac. This will give the core team the opportunity to review and address the issue before word gets out.

Be the first to comment this post