What is Symfony?
Get started
Documentation
Community
Services
News

Latest News

New in Symfony 2.3: Small things matter

by Fabien Potencier – May 17, 2013

What happened last week in Symfony?

This week, the new Symfony 2.3 branch was created. In addition, the first Symfony 2.3 release candidate version was published, which includes tons of great small improvements. Lastly, one of the biggest Symfony events of the year, the Symfony Live Portland 2013 conference, will take place next week.

Upcoming Events

The Symfony Community organizes events all over the world on a regular basis. Here are the next ones.

Netherlands, Utrecht — Symfony Meetup - Netherlands/Utrecht

on May 22, 2013, from 19:00 to 22:00

France, Montpellier — eZ UnConference #2

from May 27, 2013 to May 29, 2013

Germany, München — Symfony User Group München

on June 05, 2013, from 18:30 to 22:30

Germany, Köln — Symfony User Group Cologne steht an!

on June 05, 2013, from 19:00 to 22:00
About

Blog

Symfony2 Security Audit
by Fabien Potencier – October 07, 2011 – 11 comments

The Symfony2 core team takes security issues very seriously; we have a dedicated procedure to report such issues, and the framework itself tries to give the developer all the features needed to secure his code easily.

Thanks to our successful community donation drive, SektionEins performed a security audit on the Symfony2 code earlier this year. The audit is now over and the good news is that the Symfony2 code is pretty solid; only minor problems have been found. They have all been addressed now, but here is the full report with the relevant commits for reference:

Symfony\Component\HttpFoundation\Request::isSecure() trusts SSL_HTTPS and X_FORWARDED_PROTO HTTP headers to decide if served by SSL. Can be used to do HTTP downgrade attacks while performing MITM. Maybe make usage configureable.

Symfony\Component\HttpFoundation\Request::getHost() trusts X_FORWARDED_HOST HTTP header. Can potentially lead to problems if getHost() is used for dev/production toggle. Or if hostname is output (xss, sql, ...) Maybe make usage configureable.

Symfony\Component\HttpFoundation\Request::prepareRequestUri() trusts X_REWRITE_URL HTTP header. Can be used to bypass URL filters enforced by Web Application Firewalls. Maybe make usage configureable.

Fixed here and here.
Symfony\Component\Validator\Constraints\TimeValidator::isValid(): Regular expression is not anchored. " evil payload ' 11:11:11 'bla " will be validated as valid time.

Fixed here
Symfony\Component\HttpFoundation\HeaderBag::__toString() uses preg_replace with /e modifier. Seems safe but it would be better to replace with some statement not doing dynamic eval()

Symfony\Component\DependencyInjection\Container::camelize() uses preg_replace with /e modifier. Seems safe but it would be better to replace with some statement not doing dynamic eval()

Symfony\Component\Form\Util\PropertyPath::camelize() uses preg_replace with /e modifier. Seems safe but it would be better to replace with some statement not doing dynamic eval()

Fixed here
Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder: Usage of this encoder should be discouraged. Remove it or issue warning on usage.

The PlaintextPasswordEncoder has been kept as it is needed when using Digest authentication.
Cookie::fromString() trusts the data string. Therefore a cookie header can set a cookie as secure even if the response/uri is HTTP only. This is a security problem because a HTTP man in the middle attack could inject a HTTPS cookie into BrowserKit. Suggestion is to ignore the secure flag if the original uri is not given or is not HTTPS.

Fixed here
Symfony\Bundle\FrameworkBundle\Client::getScript(): If any of the $kernel/$request properties contain input like ');phpinfo();// this will get executed. Also ' in filenames would just break the code.

Symfony\Component\HttpKernel\Client::getScript(): If any of the $kernel/$request properties contain input like ');phpinfo();// this will get executed. Also ' in filenames would just break the code.

Fixed here
Symfony\Component\Security\Core\Authentication\Provider\AnonymousAuthenticationProvider::authenticate(): $key is compared with !=. For security purposes !== is recommended.

Fixed here
Symfony/Bundle/FrameworkBundle/Resources/views/Exception/exception.html.twig: The message of an exception is printed in the format_file_from_text format. This format is marked as secure for html. However it often contains user input for exceptions. Demo: /web/app_dev.php/_profiler/export/xx<script src=data:text;,alert(123);>.txt

Fixed here

Add a Comment

Connect to post a comment

Comments

#1 eklers said on the 2011/10/07 at 10:34

Symfony2 is shaping up to be fantastic!
#2 whisller said on the 2011/10/07 at 11:07

Great!
#3 Roman Marintsenko said on the 2011/10/07 at 12:28

nice, thanks!
#4 Christian said on the 2011/10/07 at 16:12

Thanks for sharing this information! Looks very solid both for the framework and SektionEins' work. Cool side effect of the decoupling is that Silex automatically benefits as well. :)
#5 julian said on the 2011/10/07 at 17:50

thank you for taking security serious and thanks for the fixes!
#6 Michal said on the 2011/10/08 at 09:22

Thanks for sharing the results of the audit. I wonder how this looks, among other frameworks - are they also audited after large releases?

Best regards,
Michal
#7 Nicolás Moreira said on the 2011/10/08 at 17:21

Symfony2 is like a Java EE for PHP, mmm maybe best!!
#8 dirk said on the 2011/10/09 at 23:34

It world perfectly on my site
#9 Guilherme David said on the 2011/10/10 at 15:33

I love how commited you guys are. Thanks for doing such a great job.
#10 Mike Purcell said on the 2011/10/19 at 01:32

Nice work. Just curious, was a similar security audit ever run against the 1.4 branch?
#11 Hugo Hamon said on the 2011/11/08 at 16:38

@Mike I don't think so!