Security: Access Control Documentation Issue

Please, read this post carefully as your application may be vulnerable if you are using access control rules to secure some paths or ESI/Hincludes via the _internal routes.

We have recently discovered that the documentation for access control rules was incorrect. Thanks to Victor Berchet for reporting this issue.

This is a serious problem as these access control rules let you secure some parts of your application; it is even worse as the example in the security.yml file in the Symfony Standard Edition was also incorrect.

To make a long story short, using the ip setting in an access rule does not restrict the path to be accessible only for the given IP address:

    - { path: ^/_internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: }

The above rule does not restrict access to localhost ( for requests whose path start with /_internal. If you want paths starting with /_internal to be only accessible from localhost, use the following configuration instead:

    - { path: ^/_internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: }
    - { path: ^/_internal, roles: ROLE_NO_ACCESS }

If you want to learn more about how access control rules work, read the updated documentation, or have a look at the patch we have just pushed. The example in the Symfony Standard Edition has also been updated accordingly.

The documentation update is only the first step towards the resolution of this issue as the way access control rules can be configured is very confusing. We are working on improving access control rules configuration for Symfony 2.3.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.


Great! Should this be added to the "Security Advisories"?
I probably should not be the one to get credits for this, the issue has been reported before (sorry, can't remember by who and how).

I agree with Bernhard that this should be listed in the "Security Advisories" at
I would also like to thank Ryan for the detailed documentation:

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.