In accordance with our security policy, we are releasing today symfony 1.1.4 to fix a security issue that has been reported by a symfony user earlier today. This post contains the description of the vulnerability and the description of the changes we have made to fix it. The affected symfony versions are all symfony 1.1 releases and the 1.2 branch.

Description of the vulnerability

The validation sub-framework allows the developer to embed the user submitted value in the error messages. If you use the submitted value in some of your error messages or if you use the default error messages provided by some built-in validators (see the list below), you are vulnerable because symfony will not escape the value for you.

The following built-in validators are affected because they embed the submitted values in some of their default error messages:

sfValidatorDate
sfValidatorFile
sfValidatorInteger
sfValidatorNumber
sfValidatorString
sfValidatorTime

Resolution

As of symfony 1.1.4, we have changed the getArguments() method of the sfValidatorError class to escape the error messages. Here is the modified version of this method:

[php]
public function getArguments($raw = false)
{
  if ($raw)
  {
    return $this->arguments;
  }

  $arguments = array();
  foreach ($this->arguments as $key => $value)
  {
    if (is_array($value))
    {
      continue;
    }

    $arguments["%$key%"] = htmlspecialchars($value, ENT_QUOTES, sfValidatorBase::getCharset());
  }

  return $arguments;
}

The fix has been applied to the symfony 1.1 (changeset 11932) and 1.2 (changeset 11933) branches. You can download the patch for symfony 1.1 or symfony 1.2.

Every symfony user is encouraged to upgrade as soon as possible.