Archives


Master Symfony2 fundamentals

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).
trainings.sensiolabs.com

Discover the SensioLabs Support

Access to the SensioLabs Competency Center for an exclusive and tailor-made support on Symfony
sensiolabs.com

Fabien Potencier
Security release: Symfony 2.0.19 and 2.1.4
by Fabien Potencier – November 29, 2012 – 8 comments

I've just released Symfony 2.0.19 and 2.1.4. Both releases contain a security fix.

Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp() method when the trust proxy mode is enabled (Request::trustProxyData()).

An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control.

To fix this security issue, the following changes have been made to all versions of Symfony2:

A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument:

// before (probably in your front controller script)
Request::trustProxyData();

// after
Request::setTrustedProxies(array('1.1.1.1'));
// 1.1.1.1 being the IP address of a trusted reverse proxy

The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address):

Request::trustProxyData();

// is equivalent to
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));

We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches:

  • Patch for Symfony 2.0.19
  • Patch for Symfony 2.1.4

Comments RSS

  • Mike Kamornikov
    #1 Mike Kamornikov said on the 2012/11/29 at 14:22
    There was a security audit done by Sektion Eins like a year ago. I've found a post about problems found/fixed in Symfony2 itself but no info about Doctrine and Twig. Any info on that? Just curious )
  • Xavier HAUSHERR
    #2 Xavier HAUSHERR said on the 2012/11/29 at 14:23
    What about the "trust_proxy_headers: true" configuration ?
    Is there any configuration to inject a list of trusted proxies ?
  • Tom Boutell
    #3 Tom Boutell said on the 2012/11/29 at 15:32
    Is there any risk to an app that hasn't gone out of its way to trust a proxy in some fashion or to do IP-based access control?

    Thanks for keeping Symfony secure!
  • Loïc Vernet
    #4 Loïc Vernet said on the 2012/11/29 at 16:38
    The title is wrong it should be: "Symfony 2.0.19 and 2.1.4".

    Thanks for the release. ;)
  • Loïc Vernet
    #5 Loïc Vernet said on the 2012/11/30 at 10:36
    This file does not exists like as previous version: https://raw.github.com/symfony/symfony-standard/v2.0.19/deps.lock (was OK for 2.0.18) The tag is missing.
  • Toan Nguyen
    #6 Toan Nguyen said on the 2012/12/02 at 15:13
    Thank for release.

    btw, composer works well at this time.
  • Fabien Potencier
    #7 Fabien Potencier said on the 2012/12/20 at 18:00
    As of Symfony 2.0.20 and 2.1.5, there is a new trusted_proxies settings if you don't want to configure trusted proxies in your front controllers.
  • wenming tang
    #8 wenming tang said on the 2013/01/18 at 07:11
    Is very good