Symfony 2.0.22 and Symfony 2.1.7 have just been released and they both contain security fixes for the YAML component (CVE-2013-1348 and CVE-2013-1397).

CVE-2013-1348: Ability to enable/disable PHP parsing in Yaml::parse()

Affected versions

All 2.0.X versions of the YAML component are affected by this issue.

Description

When parsing an input with Yaml::parse(), and if the input is a valid filename, the input is evaluated as a PHP file before being parsed as YAML. If the input comes from an untrusted source, malicious code might be executed.

Symfony applications are not vulnerable to this attack but if you are parsing YAML with the YAML component in your application, check that your code does not pass untrusted input to Yaml::parse(). Note that Yaml\Parser::parse() is not affected.

Resolution

In Symfony 2.1, even if the input is a file, it is not evaluated as PHP by default when calling Yaml::parse(); but you can enable PHP evaluation support by calling the Yaml::enablePhpParsing() function.

The 2.1 behavior has been backported to Symfony 2.0. We have also added a setPhpParsing() method that allows you to switch easily from one mode to another:

1
2
3
4
5
use Symfony\Component\Yaml\Yaml;

Yaml::setPhpParsing(true);
Yaml::parse($filename);
Yaml::setPhpParsing(false);

Note that the ability to evaluate PHP files in Yaml::parse() is deprecated and will be removed in 2.3; the ability to pass a filename to Yaml::parse() is deprecated and will be removed in 3.0.

Credits

I would like to thank Pádraic Brady for reporting this security issue.

CVE-2013-1397: Ability to enable/disable object support in YAML parsing and dumping

Affected versions

All versions of the YAML component (2.0.X, 2.1.X, and 2.2.X) are affected by this issue.

Description

The Symfony YAML component supports PHP objects parsing and dumping (via the !!php/object: XXX notation).

When parsing an untrusted input that contains a serialized PHP object, it will be unserialized by default, which can lead to malicious code being executed.

Symfony applications are not vulnerable to this attack but if you are parsing YAML in your application, check that your code does not pass untrusted input to Yaml::parse() or Yaml\Parser::parse().

Resolution

By default, the YAML component does not parse or dump PHP objects anymore; it replaces them with a null value instead.

Two new arguments have been added to the YAML parsing and dumping methods; they allow you to control the behavior of the YAML engine regarding object support:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
// whether an exception should be thrown when an invalid type is handled (a PHP resource or a PHP object)
// when set to false (the default), the invalid type value is replaced with the null value
// when set to true, an exception is thrown
$exceptionOnInvalidType = false;

// whether object support is enabled or not (disable by default)
// when not enabled, Symfony throws an exception if $exceptionOnInvalidType is true and returns null otherwise.
$objectSupport = false;

use Symfony\Component\Yaml\Yaml;

Yaml::parse($input, $exceptionOnInvalidType, $objectSupport);
Yaml::dump($yaml, 2, 4, $exceptionOnInvalidType, $objectSupport);

use Symfony\Component\Yaml\Parser;

$parser = new Parser();
$parser->parse($input, $exceptionOnInvalidType, $objectSupport);

use Symfony\Component\Yaml\Dumper;

$dumper = new Dumper();
$dumper->dump($input, 2, 0, $exceptionOnInvalidType, $objectSupport);

Credits

I would like to thank Johannes Schmitt for reporting this security issue.