Symfony 2.0.11 has just been released and it contains a security vulnerability fix for the Serializer Component. If you are using the Serializer component, you should upgrade as soon as possible.
The security vulnerability has been reported this morning by Sense of Security:
"The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system."
They have also provided a possible exploit example:
$serializer = new Serializer(array(), array( 'xml' => new \Symfony\Component\Serializer\Encoder\XmlEncoder() )); $x = $serializer->decode('<?xml version="1.0"?><!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]><scan>&test;</scan>', 'xml'); var_dump($x);
In this case,
$x will now contain a copy of
/etc/passwd in base64 encoded
The vulnerability has been fixed today by Jordi Boggiano and we are releasing Symfony 2.0.11 tonight to ensure an easy upgrade path for everybody. If you cannot upgrade to 2.0.11, please at least apply the appropriate patch as soon as possible.
If you are starting a new project, you can get the Symfony Standard Edition distribution on the download page.
Then, run the vendors script (it also clears your cache):
$ ./bin/vendors install
Remember that the Symfony2 Components are also available as standalone
libraries. You can get them via their dedicated read-only repositories on
https://github.com/symfony/Finder for instance), install them via
pear install symfony2/Finder), or even
install them via Composer.