FOSRestBundle security issue with JSONP handler
Starting with FOSRestBundle 1.2 we switched to using
willdurand/jsonp-callback-validator for validation of JSONP callbacks. However the change was implemented incorrectly validating the callback query param name, rather than its value. Anyone using the JSONP handler (which is off by default) together with FOSRestBundle 1.2.0 or 1.2.1 should update to FOSRestBundle 1.2.2.
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.