FOSRestBundle security issue with JSONP handler
January 22, 2014
Published by
Lukas Kahwe Smith
![Avatar of Lukas Kahwe Smith](https://connect.symfony.com/api/images/8c9d61da-b0be-4aa1-8f5d-df0f850026af.png?format=28x28)
Starting with FOSRestBundle 1.2 we switched to using willdurand/jsonp-callback-validator
for validation of JSONP callbacks. However the change was implemented incorrectly validating the callback query param name, rather than its value. Anyone using the JSONP handler (which is off by default) together with FOSRestBundle 1.2.0 or 1.2.1 should update to FOSRestBundle 1.2.2.
Log in to add a reaction to this post
Published in
#Community
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
Comments
![Avatar of Patrik Karisch](https://connect.symfony.com/api/images/d880aaff-85e6-4f23-90bf-80339940996b.png?format=48x48)
Patrik Karisch
said on Jan 22, 2014
at 08:04
#1
Thanks for the quick fix.
![Avatar of Christophe Coevoet](https://connect.symfony.com/api/images/c81121f4-fd7a-49b0-9284-cef4b0dde8e7.png?format=48x48)
Christophe Coevoet
said on Jan 22, 2014
at 08:25
#2
Please send a PR to https://github.com/sensiolabs/security-advisories to add it in the security checker
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.