Cover of the book Symfony 5: The Fast Track

Symfony 5: The Fast Track is the best book to learn modern Symfony development, from zero to production. +300 pages in full color showing how to combine Symfony with Docker, APIs, queues & async tasks, Webpack, Single-Page Applications, etc.

Buy printed version

JsTranslationBundle Security Release

Andreas Forsblom reported two potential security issues on JsTranslationBundle: a path traversal attack and a code remote injection.

Indeed, the locales parameter was not validated and thus it was possible to perform the following request:

http://localhost/translations?locales=randomstring/something

The file something.js was created in the subdirectory messages.randomstring of the cache directory, and this was a non-desired behavior. By doing this, it became possible to traverse down from the bundle's cache directory.

http://localhost/translations?locales=randomstring/../../evil

The request above served the following file:

/var/www/someproject/app/cache/dev/bazinga-js-translation/messages.randomstring/../../evil.js

Depending on the configuration of the server, it was even possible to create or overwrite files in the web directory. Filtering the locales parameter mitigates this issue as well as the remote code injection one.

It was also possible to pass JavaScript code to the locales parameter, which was then injected into the generated JS files.

http://localhost/translations?locales=foo%0Auncommented%20code;

The request above generated the following code:

(function (Translator) {
    Translator.fallback = 'en';
    Translator.defaultDomain = 'messages';
    // foo
uncommented code;
})(Translator);

These two issues have been fixed in version 2.1.1. All users must upgrade to this release!

For further information, please read the release note.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.