symfony 1.0.16 is out
– May 14, 2008
– 6 comments
symfony 1.0.16 is out and fixes an important security breach. This is the shortest changelog one may find between two releases: a one line file.
- r8922: fixed yml validator file can be overriden by a remote attacker (#1617)
The issue is described in ticket #1617.
An attacker could bypass the validation process and get unsecure data through your actions. Your applications are only vulnerable is you use the :action placeholder in your routing rules. This is the case if you rely on the default symfony routing rule (/:module/:action/*).
If you use symfony 1.1, your applications are only vulnerable if you use the 1.0 compat layer.
Everybody is encouraged to upgrade as soon as possible.
For 1.0 : You can apply the patch directly from here http://trac.symfony-project.com/changeset/8922 or upgrade to 1.0.16 either by using the PEAR package (pear upgrade symfony/symfony-1.0.16) or by using the Debian package.
For 1.1 : You can apply the patch available here http://trac.symfony-project.com/changeset/8925. The patch will be part of the next 1.1 release candidate.