CVE-2024-50340: Ability to change environment from query
November 6, 2024
•
Published by
Fabien Potencier
Affected versions
Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony Runtime component are affected by this security issue.
The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.
Description
When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.
Resolution
The SymfonyRuntime now ignores the argv values for non-cli SAPIs PHP runtimes
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
The parameter is named
register_argc_argvnotregister_argv_argc, see https://www.php.net/manual/en/ini.core.php#ini.register-argc-argvIf you're using Symfony Docker or the API Platform distribution, your project isn't affected because our skeletons provide safe PHP defaults.
This is pretty bad. This parameter is activated by default on most hosts (platform.sh is an example).
Thanks for fixing the problem quickly.
@Thomas fixed thanks. @Renaud it's Off by default on Platform.sh, also in Debian-based distributions and many others I guess. It's On in the official Docker image unfortunately.
Ok thanks! I guess in CLI "php -i" is going to show it On because it's CLI, that's what confused me.
Indeed, this option is hardcoded as "On" for the CLI SAPI. So checking
php -iwill not give you the correct insights :)