symfony 1.1.4 released: Security fix

In accordance with our security policy, we are releasing today symfony 1.1.4 to fix a security issue that has been reported by a symfony user earlier today. This post contains the description of the vulnerability and the description of the changes we have made to fix it. The affected symfony versions are all symfony 1.1 releases and the 1.2 branch.

Description of the vulnerability

The validation sub-framework allows the developer to embed the user submitted value in the error messages. If you use the submitted value in some of your error messages or if you use the default error messages provided by some built-in validators (see the list below), you are vulnerable because symfony will not escape the value for you.

The following built-in validators are affected because they embed the submitted values in some of their default error messages:

  • sfValidatorDate
  • sfValidatorFile
  • sfValidatorInteger
  • sfValidatorNumber
  • sfValidatorString
  • sfValidatorTime

Resolution

As of symfony 1.1.4, we have changed the getArguments() method of the sfValidatorError class to escape the error messages. Here is the modified version of this method:

[php]
public function getArguments($raw = false)
{
  if ($raw)
  {
    return $this->arguments;
  }

  $arguments = array();
  foreach ($this->arguments as $key => $value)
  {
    if (is_array($value))
    {
      continue;
    }

    $arguments["%$key%"] = htmlspecialchars($value, ENT_QUOTES, sfValidatorBase::getCharset());
  }

  return $arguments;
}

The fix has been applied to the symfony 1.1 (changeset 11932) and 1.2 (changeset 11933) branches. You can download the patch for symfony 1.1 or symfony 1.2.

Every symfony user is encouraged to upgrade as soon as possible.

If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Comments

Thanks a lot for your extremely prompt action to my report!! :)
Instantly!
My sore throat prevented me to release this one, thanks Fabien ;-)
Hi,

Fyi, in all my 1.1 freshly updated project, the sf version shows 1.1.5-DEV.
I'm new to symfony.

i've installed 1.1.3, how do i update to 1.1.4 with the patch? Do you install it manually or can the patch be run as a script?

Thanks.
@Kelta: just run pear upgrade symfony/symfony
Please note, the "symfony releases" available at the main page are outdated.
On the other hand...excellent work! Keep going

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.