Archives


Master Symfony2 fundamentals

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).
trainings.sensiolabs.com

Discover the SensioLabs Support

Access to the SensioLabs Competency Center for an exclusive and tailor-made support on Symfony
sensiolabs.com

Fabien Potencier
Security release: symfony 1.4.20 released
by Fabien Potencier – November 25, 2012 – 6 comments

symfony 1.4.20 has just been released and it contains a security fix.

Uli Hecht contacted us a couple of days ago about a security issue in symfony 1.4. The vulnerability allows reading any file stored on the server if it is readable by the web server. Your application is vulnerable if there is a form that contains a file upload field and the uploaded file is stored under a web-accessible area (somewhere under the web root directory).

If you are vulnerable, we highly recommend you to upgrade as soon as possible, and if it is not possible, please apply the following patch:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Index: lib/form/sfForm.class.php
===================================================================
--- lib/form/sfForm.class.php       (revision 33597)
+++ lib/form/sfForm.class.php       (working copy)
@@ -222,6 +222,8 @@
       $this->taintedFiles = array();
     }

+    $this->checkTaintedValues($this->taintedValues);
+
     try
     {
       $this->doBind(self::deepArrayUnion($this->taintedValues, self::convertFileInformation($this->taintedFiles)));
@@ -1336,4 +1338,24 @@

     return $array1;
   }
+
+  /**
+   * Checks that the $_POST values do not contain something that
+   * looks like a file upload (coming from $_FILE).
+   */
+  protected function checkTaintedValues($values)
+  {
+    foreach ($values as $name => $value)
+    {
+      if (!is_array($value)) {
+        continue;
+      }
+
+      if (isset($value['tmp_name'])) {
+        throw new InvalidArgumentException('Do not try to fake a file upload.');
+      }
+
+      $this->checkTaintedValues($value);
+    }
+  }
 }

Here are the other changes for this release: CHANGELOG:

  • [33545] fixed sfPDOSessionStorage for Oracle (closes #10022)
  • [33544] fixed sfWebRequest::splitHttpAcceptHeader incorrect result order (closes #10069, patch by Keri Henare)
  • [33539] fixed exception format when using the PHP 5.4 built-in server (closes #10067, based on a patch from jgskin)
  • [33486] fixed sfPDODatabase::call() method (closes #10044)

If you've checked out a copy of the tag from Subversion you can switch to the latest version:

1
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_4_20

If you are using the PEAR package you can update using the pear command:

1
$ pear upgrade symfony/symfony-1.4.20

And as always, don't forget to clear your cache after upgrading.

Comments RSS

  • Andreas Brillisauer
    #1 Andreas Brillisauer said on the 2012/11/26 at 13:11
    Seems that Swift Mailer also was updated. Swift_Mime_SimpleMessage::__construct now has 5 parameters. The fourth is new (Swift_Mime_Grammar).

    Unfortunately there is nothing to find in the changelog about that :-)
  • Jérémie Augustin
    #2 Jérémie Augustin said on the 2012/11/26 at 15:56
    @fabpot I think the vulnerability apply also for the forms that store files in a private folder and allow the user to download them through a controller.

    would you update the git mirror ?
  • Rajesh Meniya
    #3 Rajesh Meniya said on the 2012/11/27 at 14:58
    Important update
    Just updated to 1.4.20 in my one project
  • Rajesh Meniya
    #4 Rajesh Meniya said on the 2012/11/27 at 15:00
    Can't found 1.4.20 in Legacy releases combo.
  • Jamie Estep
    #5 Jamie Estep said on the 2012/11/29 at 17:32
    Not sure but swift is now causing a ton of problems. Had to revert 3 servers back to a previous versions.
  • Tomasz Marcinkowski
    #6 Tomasz Marcinkowski said on the 2013/01/17 at 22:13
    #5: I confirm that! I've just wasted a whole day on Xdebugging only to find that all those fatal errors I had were caused by the Swiftmailer update. Symfony 1.4.20 is NOT backward compatible if you use Swiftmailer in a certain way. If you had enqueued bunch of emails using previous version (in my case: 1.4.18) and you try to send them using the new one, lot of problems come up and all of them are related to unserialization and to the recently added Swift_Mime_Grammar class.
    My problem is even worse now, because a production server had been using 1.4.20 for some time and my email queue consists of mixed .18- and .20-enqueued emails, so both code revisions give fatals on send attempts :(