Archives


Master Symfony2 fundamentals

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).
trainings.sensiolabs.com

Discover the SensioLabs Support

Access to the SensioLabs Competency Center for an exclusive and tailor-made support on Symfony
sensiolabs.com

Fabien Potencier
Security Release: Symfony 2.0.6
by Fabien Potencier – November 16, 2011 – 14 comments

Symfony 2.0.6 has just been released. It addresses a security vulnerability in the EntityUserProvider as provided in the Doctrine bridge.

If you let your users update their login/username from a form, and if you are using Doctrine as a user provider, then you are vulnerable and you should upgrade as soon as possible.

The issue is that it is possible for a user to switch to another one. Here is how to reproduce it: The current user changes its username via a form to another existing username. When the form is submitted, he will have a validation error (as the username already exists) but the user object in the session will still be modified to the new username. This user from the session will be used for the next requests and so the user will be switched to this other user.

The fix is to always refresh the user via the primary key (which cannot be updated via a form) instead of the username.

If you cannot upgrade immediately, please apply the following patch: https://github.com/symfony/symfony/commit/9d2ab9ca9c1762

The CHANGELOG has all the details about all the other changes and you can have a look at the full diff.

If you are starting a new project, you can get the Symfony Standard Edition distribution on the download page.

If you already have a project based on the Symfony Standard Edition 2.0.x, you can easily upgrade to 2.0.6 by getting the new deps and deps.lock files.

Then, run the vendors script:

$ ./bin/vendors install

And don't forget to clear your cache:

$ php ./app/console cache:clear

Remember that the Symfony2 Components are also available as standalone libraries. You can get them via their dedicated read-only repositories on Github (https://github.com/symfony/Finder for instance), install them via PEAR (pear install symfony2/Finder), or even install them via Composer.

As we've stated in the past, please report security-related issues to security [at] symfony-project [dot] com rather than posting them directly to Github. This will give the core team the opportunity to review and address the issue before word gets out.

Comments RSS

  • Jacob Dreesen
    #1 Jacob Dreesen said on the 2011/11/16 at 22:21
    Small hint: you can get patches (or diffs) from github directly by simply appending ".patch" (or ".diff") to the url. So, to get a patch file for the security related commit: https://github.com/symfony/symfony/commit/9d2ab9ca9c1762.patch
  • Daniel Żelazny
    #2 Daniel Żelazny said on the 2011/11/16 at 23:56
    Hi,

    I have problem with refreshing the logged user via security context by username. It seems like the $entity in method getIdentifierValues of Doctrine/Orm/Mapping/ClassMetaData.php should have 'id' value (from Token ?) or maybe should be more elements in $this->identifier ?, also the $this->isIdentifierComposite is false.

    What's wrong ?

    Sorry for my bad english.
  • Jeremy Mikola
    #3 Jeremy Mikola said on the 2011/11/17 at 00:16
    For any ODM users, here is a (hopefully soon to be merged) pull request on DoctrineMongoDBBundle with the equivalent security fix: https://github.com/symfony/DoctrineMongoDBBundle/pull/56
  • Juan Carlos
    #4 Juan Carlos said on the 2011/11/17 at 03:54
    how come Sektion Eins didn't detect this vulnerability during the security audit?
  • Raphael Schumacher
    #5 Raphael Schumacher said on the 2011/11/17 at 09:25
    Thanks guys!
  • Pierre Minnieur
    #6 Pierre Minnieur said on the 2011/11/17 at 09:45
    Horacio: either this bug was introduced after the audit or this is such an edge case that you couldn't find it without some real-world experience (which I think how it was detected).
  • Yoann PETIT
    #7 Yoann PETIT said on the 2011/11/17 at 13:53
    I'm agreed with Horacio. But it's true that it isn't a common case.
    If you are using the FOSUserBundle, you'll have no problem because the user is always refreshed.
  • Nicolás Moreira
    #8 Nicolás Moreira said on the 2011/11/18 at 01:45
    Thanks for the fix. Best regards from Uruguay
  • Jordan Stout
    #9 Jordan Stout said on the 2011/11/18 at 07:37
    Cudos to me for finding this issue ;)
  • Jordan Stout
    #10 Jordan Stout said on the 2011/11/18 at 07:43
    Oh and +1 Jeremy Mikola's ODM push to be released asap.
  • Bryan Chen
    #11 Bryan Chen said on the 2011/11/18 at 10:57
    If EntityUserProvider->refreshUser() returns null, the ContextListener->refreshUser() will encounter an uncaught exception when trying to set the token's user to null.
  • Markus Lanthaler
    #12 Markus Lanthaler said on the 2011/11/24 at 06:15
    I've tried to update it on my Windows machine but it fails:

    fatal: ambiguous argument 'v2.0.6': unknown revision or path not in the working tree.
    Use '--' to separate paths from revisions


    If I delete the vendors/symfony directory I get the following error message:

    Cloning into D:\data\htdocs\smartcamp\Symfony/vendor/symfony...
    warning: remote HEAD refers to nonexistent ref, unable to checkout.

    fatal: ambiguous argument 'v2.0.6': unknown revision or path not in the working tree.
    Use '--' to separate paths from revisions
    fatal: bad default revision 'HEAD'


    Any idea how I can solve this problem?
  • Oleg Zinchenko
    #13 Oleg Zinchenko said on the 2011/11/25 at 01:50
    Thanks a lot.
  • Markus Lanthaler
    #14 Markus Lanthaler said on the 2011/11/28 at 07:26
    OK, didn't changed anything and tried it again today.. et voilà, it just worked.