Security: Access Control Documentation Issue

Please, read this post carefully as your application may be vulnerable if
you are using access control rules to secure some paths or ESI/Hincludes via
the _internal
routes.
We have recently discovered that the documentation for access control rules was incorrect. Thanks to Victor Berchet for reporting this issue.
This is a serious problem as these access control rules let you secure some
parts of your application; it is even worse as the example in the
security.yml
file in the Symfony Standard Edition was also incorrect.
To make a long story short, using the ip
setting in an access rule does
not restrict the path
to be accessible only for the given IP address:
1 2
access_control:
- { path: ^/_internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: 127.0.0.1 }
The above rule does not restrict access to localhost (127.0.0.1
) for
requests whose path start with /_internal
. If you want paths starting with
/_internal
to be only accessible from localhost, use the following
configuration instead:
1 2 3
access_control:
- { path: ^/_internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: 127.0.0.1 }
- { path: ^/_internal, roles: ROLE_NO_ACCESS }
If you want to learn more about how access control rules work, read the updated documentation, or have a look at the patch we have just pushed. The example in the Symfony Standard Edition has also been updated accordingly.
The documentation update is only the first step towards the resolution of this issue as the way access control rules can be configured is very confusing. We are working on improving access control rules configuration for Symfony 2.3.
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
Comments
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.
I agree with Bernhard that this should be listed in the "Security Advisories" at symfony.com/security.