What is Symfony?
Get started
Documentation
Community
Services
News

Latest News

New in Symfony 2.3: Small things matter

by Fabien Potencier – May 17, 2013

What happened last week in Symfony?

This week, the new Symfony 2.3 branch was created. In addition, the first Symfony 2.3 release candidate version was published, which includes tons of great small improvements. Lastly, one of the biggest Symfony events of the year, the Symfony Live Portland 2013 conference, will take place next week.

Upcoming Events

The Symfony Community organizes events all over the world on a regular basis. Here are the next ones.

France, Montpellier — eZ UnConference #2

from May 27, 2013 to May 29, 2013

Germany, München — Symfony User Group München

on June 05, 2013, from 18:30 to 22:30

Germany, Köln — Symfony User Group Cologne steht an!

on June 05, 2013, from 19:00 to 22:00

Spain, Madrid — deSymfony 2013

from June 21, 2013 to June 23, 2013
About

Blog

Security release: Symfony 2.0.19 and 2.1.4
by Fabien Potencier – November 29, 2012 – 8 comments

I've just released Symfony 2.0.19 and 2.1.4. Both releases contain a security fix.

Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp() method when the trust proxy mode is enabled (Request::trustProxyData()).

An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control.

To fix this security issue, the following changes have been made to all versions of Symfony2:

A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument:

// before (probably in your front controller script)
Request::trustProxyData();

// after
Request::setTrustedProxies(array('1.1.1.1'));
// 1.1.1.1 being the IP address of a trusted reverse proxy

The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address):

Request::trustProxyData();

// is equivalent to
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));

We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches:

Patch for Symfony 2.0.19
Patch for Symfony 2.1.4

Add a Comment

Connect to post a comment

Comments

#1 Mike Kamornikov said on the 2012/11/29 at 14:22

There was a security audit done by Sektion Eins like a year ago. I've found a post about problems found/fixed in Symfony2 itself but no info about Doctrine and Twig. Any info on that? Just curious )
#2 Xavier HAUSHERR said on the 2012/11/29 at 14:23

What about the "trust_proxy_headers: true" configuration ?
Is there any configuration to inject a list of trusted proxies ?
#3 Tom Boutell said on the 2012/11/29 at 15:32

Is there any risk to an app that hasn't gone out of its way to trust a proxy in some fashion or to do IP-based access control?

Thanks for keeping Symfony secure!
#4 Loïc Vernet said on the 2012/11/29 at 16:38

The title is wrong it should be: "Symfony 2.0.19 and 2.1.4".

Thanks for the release. ;)
#5 Loïc Vernet said on the 2012/11/30 at 10:36

This file does not exists like as previous version: https://raw.github.com/symfony/symfony-standard/v2.0.19/deps.lock (was OK for 2.0.18) The tag is missing.
#6 Toan Nguyen said on the 2012/12/02 at 15:13

Thank for release.

btw, composer works well at this time.
#7 Fabien Potencier said on the 2012/12/20 at 18:00

As of Symfony 2.0.20 and 2.1.5, there is a new trusted_proxies settings if you don't want to configure trusted proxies in your front controllers.
#8 wenming tang said on the 2013/01/18 at 07:11

Is very good