Symfony
a SensioLabs product
DOWNLOAD NOW

Master Symfony2 fundamentals

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).
trainings.sensiolabs.com

L'audit Qualité par SensioLabs

200 points de contrôle de votre applicatif web.
audit.sensiolabs.com
Home » Blog » symfony 1.1.4 released: Security fix
RSS comments
RSS posts

Blog

RELEASES

symfony 1.1.4 released: Security fix by Fabien Potencier – October 03, 2008 – 7 comments

In accordance with our security policy, we are releasing today symfony 1.1.4 to fix a security issue that has been reported by a symfony user earlier today. This post contains the description of the vulnerability and the description of the changes we have made to fix it. The affected symfony versions are all symfony 1.1 releases and the 1.2 branch.

Description of the vulnerability

The validation sub-framework allows the developer to embed the user submitted value in the error messages. If you use the submitted value in some of your error messages or if you use the default error messages provided by some built-in validators (see the list below), you are vulnerable because symfony will not escape the value for you.

The following built-in validators are affected because they embed the submitted values in some of their default error messages:

  • sfValidatorDate
  • sfValidatorFile
  • sfValidatorInteger
  • sfValidatorNumber
  • sfValidatorString
  • sfValidatorTime

Resolution

As of symfony 1.1.4, we have changed the getArguments() method of the sfValidatorError class to escape the error messages. Here is the modified version of this method:

public function getArguments($raw = false)
{
  if ($raw)
  {
    return $this->arguments;
  }
 
  $arguments = array();
  foreach ($this->arguments as $key => $value)
  {
    if (is_array($value))
    {
      continue;
    }
 
    $arguments["%$key%"] = htmlspecialchars($value, ENT_QUOTES, sfValidatorBase::getCharset());
  }
 
  return $arguments;
}
 

The fix has been applied to the symfony 1.1 (changeset 11932) and 1.2 (changeset 11933) branches. You can download the patch for symfony 1.1 or symfony 1.2.

Every symfony user is encouraged to upgrade as soon as possible.

Add a Comment

You must be connected to post a comment.

Comments RSS

  • gravatar
    #1 Toc said on the 2008/10/04 at 02:41
    Thanks a lot for your extremely prompt action to my report!! :)
  • gravatar
    #2 Yuretsz said on the 2008/10/04 at 03:55
    Instantly!
  • gravatar
    #3 NiKo said on the 2008/10/04 at 11:01
    My sore throat prevented me to release this one, thanks Fabien ;-)
  • gravatar
    #4 Cedric Sadai said on the 2008/10/04 at 12:01
    Hi,

    Fyi, in all my 1.1 freshly updated project, the sf version shows 1.1.5-DEV.
  • gravatar
    #5 Kelta said on the 2008/10/04 at 12:03
    I'm new to symfony.

    i've installed 1.1.3, how do i update to 1.1.4 with the patch? Do you install it manually or can the patch be run as a script?

    Thanks.
  • gravatar
    #6 Markus Lanthaler said on the 2008/10/04 at 17:38
    @Kelta: just run pear upgrade symfony/symfony
  • gravatar
    #7 mppfiles said on the 2008/10/05 at 15:55
    Please note, the "symfony releases" available at the main page are outdated.
    On the other hand...excellent work! Keep going

NEWS FROM THE BLOG

Visit Symfony's blog

IN THE NEWS

Announcing the Symfony Community Awards

UPCOMING TRAINING SESSIONS

View all sessions

sf - Symfony is a trademark of Fabien Potencier. All rights reserved.

What is Symfony?

Get Started

Learn Symfony

Marketplace

Community

Services

Blog

About