symfony 1.0.16 is out and fixes an important security breach. This is the shortest changelog one may find between two releases: a one line file.

r8922: fixed yml validator file can be overriden by a remote attacker (#1617)

The issue is described in ticket #1617.

An attacker could bypass the validation process and get unsecure data through your actions. Your applications are only vulnerable is you use the :action placeholder in your routing rules. This is the case if you rely on the default symfony routing rule (/:module/:action/*).

If you use symfony 1.1, your applications are only vulnerable if you use the 1.0 compat layer.

Everybody is encouraged to upgrade as soon as possible.

For 1.0 : You can apply the patch directly from here http://trac.symfony-project.com/changeset/8922 or upgrade to 1.0.16 either by using the PEAR package (pear upgrade symfony/symfony-1.0.16) or by using the Debian package.

For 1.1 : You can apply the patch available here http://trac.symfony-project.com/changeset/8925. The patch will be part of the next 1.1 release candidate.

Published in #Releases #Security Advisories

Atko said on May 15, 2008 at 08:55

Great job!

Massimiliano said on May 15, 2008 at 09:53

I tried to upgrade, but I got:

WARNING: failed to download pear.symfony-project.com/symfony, version "1.0.16", will instead download version 1.0.15, stability "stable"

Suparno said on May 15, 2008 at 13:51

Hello All, I have made a new module in apps of MyProject using symfony propel-generate-crud Foldername programname ProgramName.

But it didn't generate generator.yml in config folder.

Then I used the command

symfony propel-init-admin FolderName programname ProgramName.

It generated generator.yml. I added the code

list: max_per_page:1

Since there are 2 data in the perticular table.

But the Pagination doesn't display, which was suppose to by default.

Please suggest as sson as process for the process to make the pagination work from actions.class.php, layout.php or any other template page, and myclass.php.

I need this help as soon as possible.

halfer said on May 15, 2008 at 14:19

@Suparno - the comments on the blog are an inappropriate place for general support questions. I believe you have also asked this on the fora, so please await an answer there, or ask on the users' mailing list.

Hugo said on May 16, 2008 at 00:10

My Symfony 1.0 is now up to date ! Thanks a lot for this important version ;)

arhak said on Jun 5, 2008 at 22:07

Oh, this is huge! This is why every website should reconsider revealing a "powered by Symfony" signature. There are a few issues in Symfony that should be discourage for production, only encouraged for RAD prototyping

symfony 1.0.16 is out

Comments

Become a Symfony contributor