Master Symfony2 fundamentals

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).

Discover the SensioLabs Support

Access to the SensioLabs Competency Center for an exclusive and tailor-made support on Symfony

symfony 1.0.16 is out
by Grégoire Hubert – May 14, 2008 – 6 comments

symfony 1.0.16 is out and fixes an important security breach. This is the shortest changelog one may find between two releases: a one line file.

  • r8922: fixed yml validator file can be overriden by a remote attacker (#1617)

The issue is described in ticket #1617.

An attacker could bypass the validation process and get unsecure data through your actions. Your applications are only vulnerable is you use the :action placeholder in your routing rules. This is the case if you rely on the default symfony routing rule (/:module/:action/*).

If you use symfony 1.1, your applications are only vulnerable if you use the 1.0 compat layer.

Everybody is encouraged to upgrade as soon as possible.

For 1.0 : You can apply the patch directly from here or upgrade to 1.0.16 either by using the PEAR package (pear upgrade symfony/symfony-1.0.16) or by using the Debian package.

For 1.1 : You can apply the patch available here The patch will be part of the next 1.1 release candidate.


Comments RSS

  • gravatar
    #1 Atko said on the 2008/05/15 at 08:55
    Great job!
  • gravatar
    #2 Massimiliano said on the 2008/05/15 at 09:53
    I tried to upgrade, but I got:

    WARNING: failed to download, version "1.0.16", will instead download version 1.0.15, stability "stable"
  • gravatar
    #3 Suparno said on the 2008/05/15 at 13:51
    Hello All,
    I have made a new module in apps of MyProject
    using symfony propel-generate-crud Foldername programname ProgramName.

    But it didn't generate generator.yml in config folder.

    Then I used the command

    symfony propel-init-admin FolderName programname ProgramName.

    It generated generator.yml.
    I added the code


    Since there are 2 data in the perticular table.

    But the Pagination doesn't display, which was suppose to by default.

    Please suggest as sson as process for the process to make the pagination work from actions.class.php, layout.php or any other template page, and myclass.php.

    I need this help as soon as possible.
  • gravatar
    #4 halfer said on the 2008/05/15 at 14:19
    @Suparno - the comments on the blog are an inappropriate place for general support questions. I believe you have also asked this on the fora, so please await an answer there, or ask on the users' mailing list.
  • gravatar
    #5 Hugo said on the 2008/05/16 at 00:10
    My Symfony 1.0 is now up to date ! Thanks a lot for this important version ;)
  • gravatar
    #6 arhak said on the 2008/06/05 at 22:07
    Oh, this is huge!
    This is why every website should reconsider revealing a "powered by Symfony" signature.
    There are a few issues in Symfony that should be discourage for production, only encouraged for RAD prototyping