Symfony 2.0.22 and Symfony 2.1.7 have just been released and they both contain security fixes for the YAML component (CVE-2013-1348 and CVE-2013-1397).
CVE-2013-1348: Ability to enable/disable PHP parsing in Yaml::parse()
Affected versions
All 2.0.X versions of the YAML component are affected by this issue.
Description
When parsing an input with Yaml::parse(), and if the input is a valid
filename, the input is evaluated as a PHP file before being parsed as YAML. If
the input comes from an untrusted source, malicious code might be executed.
Symfony applications are not vulnerable to this attack but if you are parsing
YAML with the YAML component in your application, check that your code does
not pass untrusted input to Yaml::parse(). Note that
Yaml\Parser::parse() is not affected.
Resolution
In Symfony 2.1, even if the input is a file, it is not evaluated as PHP by
default when calling Yaml::parse(); but you can enable PHP evaluation
support by calling the Yaml::enablePhpParsing() function.
The 2.1 behavior has been backported to Symfony 2.0. We have also added a
setPhpParsing() method that allows you to switch easily from one mode to
another:
1 2 3 4 5
use Symfony\Component\Yaml\Yaml;
Yaml::setPhpParsing(true);
Yaml::parse($filename);
Yaml::setPhpParsing(false);Note that the ability to evaluate PHP files in Yaml::parse() is deprecated
and will be removed in 2.3; the ability to pass a filename to
Yaml::parse() is deprecated and will be removed in 3.0.
Credits
I would like to thank Pádraic Brady for reporting this security issue.
CVE-2013-1397: Ability to enable/disable object support in YAML parsing and dumping
Affected versions
All versions of the YAML component (2.0.X, 2.1.X, and 2.2.X) are affected by this issue.
Description
The Symfony YAML component supports PHP objects parsing and dumping (via the
!!php/object: XXX notation).
When parsing an untrusted input that contains a serialized PHP object, it will be unserialized by default, which can lead to malicious code being executed.
Symfony applications are not vulnerable to this attack but if you are parsing
YAML in your application, check that your code does not pass untrusted input
to Yaml::parse() or Yaml\Parser::parse().
Resolution
By default, the YAML component does not parse or dump PHP objects anymore; it
replaces them with a null value instead.
Two new arguments have been added to the YAML parsing and dumping methods; they allow you to control the behavior of the YAML engine regarding object support:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
// whether an exception should be thrown when an invalid type is handled (a PHP resource or a PHP object)
// when set to false (the default), the invalid type value is replaced with the null value
// when set to true, an exception is thrown
$exceptionOnInvalidType = false;
// whether object support is enabled or not (disable by default)
// when not enabled, Symfony throws an exception if $exceptionOnInvalidType is true and returns null otherwise.
$objectSupport = false;
use Symfony\Component\Yaml\Yaml;
Yaml::parse($input, $exceptionOnInvalidType, $objectSupport);
Yaml::dump($yaml, 2, 4, $exceptionOnInvalidType, $objectSupport);
use Symfony\Component\Yaml\Parser;
$parser = new Parser();
$parser->parse($input, $exceptionOnInvalidType, $objectSupport);
use Symfony\Component\Yaml\Dumper;
$dumper = new Dumper();
$dumper->dump($input, 2, 0, $exceptionOnInvalidType, $objectSupport);Credits
I would like to thank Johannes Schmitt for reporting this security issue.
"when not enabled, Symfony throws an exception if $exceptionOnInvalidType is false and returns null otherwise."
Shouldn't this say true?
Thanks for the release.
Hello, I just installed sf2.1.7 with composer, and i'm facing a problem with twig template heritage: the following line,ok with the previous versions, {% extends "linceoBlogBundle::layout.html.twig" %} leads now to an error: An exception has been thrown during the rendering of a template ("Unrecognized field: 0") in "linceoBlogBundle:Blog:modifier.html.twig"
Is it something linked to the new version? TIA