symfony 1.4.20 has just been released and it contains a security fix.

Uli Hecht contacted us a couple of days ago about a security issue in symfony 1.4. The vulnerability allows reading any file stored on the server if it is readable by the web server. Your application is vulnerable if there is a form that contains a file upload field and the uploaded file is stored under a web-accessible area (somewhere under the web root directory).

If you are vulnerable, we highly recommend you to upgrade as soon as possible, and if it is not possible, please apply the following patch:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Index: lib/form/sfForm.class.php
===================================================================
--- lib/form/sfForm.class.php       (revision 33597)
+++ lib/form/sfForm.class.php       (working copy)
@@ -222,6 +222,8 @@
       $this->taintedFiles = array();
     }

+    $this->checkTaintedValues($this->taintedValues);
+
     try
     {
       $this->doBind(self::deepArrayUnion($this->taintedValues, self::convertFileInformation($this->taintedFiles)));
@@ -1336,4 +1338,24 @@

     return $array1;
   }
+
+  /**
+   * Checks that the $_POST values do not contain something that
+   * looks like a file upload (coming from $_FILE).
+   */
+  protected function checkTaintedValues($values)
+  {
+    foreach ($values as $name => $value)
+    {
+      if (!is_array($value)) {
+        continue;
+      }
+
+      if (isset($value['tmp_name'])) {
+        throw new InvalidArgumentException('Do not try to fake a file upload.');
+      }
+
+      $this->checkTaintedValues($value);
+    }
+  }
 }

Here are the other changes for this release: CHANGELOG:

  • [33545] fixed sfPDOSessionStorage for Oracle (closes #10022)
  • [33544] fixed sfWebRequest::splitHttpAcceptHeader incorrect result order (closes #10069, patch by Keri Henare)
  • [33539] fixed exception format when using the PHP 5.4 built-in server (closes #10067, based on a patch from jgskin)
  • [33486] fixed sfPDODatabase::call() method (closes #10044)

If you've checked out a copy of the tag from Subversion you can switch to the latest version:

1
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_4_20

If you are using the PEAR package you can update using the pear command:

1
$ pear upgrade symfony/symfony-1.4.20

And as always, don't forget to clear your cache after upgrading.